BMC Daily Cyber News

This is today’s cyber news for November 3rd, 2025. You can also subscribe to the newsletter and view the archive of previous headlines at daily cyber dot news.

Over several months, Ribbon Communications said intruders believed to be state linked burrowed into parts of its network. Production and customer services continued to run. Investigators confirmed access to some internal systems and began a review of source code exposure and customer touchpoints that could extend risk. Scoping work continues today across teams.

A hacker claimed to hold about one point two million donor records tied to the University of Pennsylvania after offensive campus emails. Officials opened an investigation. Teams are verifying authenticity and scope while tracing the path from initial account compromise to a public data theft claim now pressuring the university to respond. Verification work is still underway today.

Authorities extradited a Ukrainian national tied to the Conti ransomware crew to the United States, U S. The case involves high impact extortion. The transfer reflects growing cross border cooperation that can surface infrastructure details, alias histories, and potential co conspirators when charging documents and testimony become public. Federal court proceedings begin soon in the case.

Active campaigns exploited Windows Server Update Services, W S U S, to hijack update approvals inside enterprise networks. Trusted channels were turned into malware pipes. An out of band fix is available, and early reports suggest dozens of organizations are combing approval logs and distribution records for unauthorized packages. Fleet wide validation continues across many environments today.

Researchers observed the BadCandy web implant persisting on certain Cisco routers after exploitation of internet facing management interfaces. The implant grants admin level control. Weak credentials and aging branch hardware widened exposure while quiet configuration edits and startup scripts allowed persistence that could survive device reboots across sites. Vendor detection and rebuild guidance is available.

Google patched a critical flaw in Google Chrome that attackers had already exploited on real users. Drive-by pages could trigger code execution. The issue centers on the JavaScript engine and allowed crafted sites to clobber defenses and run instructions on endpoints that hold tokens. Automatic updates are rolling out now, and administrators are confirming version baselines across managed fleets.

A VMware flaw joined the Known Exploited Vulnerabilities, K E V, list after reports of active use against management components. Privilege elevation and lateral movement were possible. Data centers that expose management interfaces or reuse administrative credentials faced higher risk as attackers pried into clusters and hosted workloads. Patches and hardening guidance are available, and teams are reviewing logs for suspicious admin actions and recent snapshot or switch changes.

Investigators linked a Windows zero day chain to a China linked group targeting European Union, E U, diplomatic entities. They used forged shortcut files quietly. The operation rotated infrastructure frequently and staged data collection carefully, a pattern that signals mature tradecraft designed to evade simple blocklists. Microsoft shared limited indicators and remediation steps while investigations continue across affected networks.

Ransomware crews resurfaced a previously known Linux kernel bug to gain local privilege after an initial foothold. Outdated server images increased exposure significantly. Operators chained the kernel issue with credential theft to spread across servers and containers, hitting environments that missed security backports. Vendors released updated packages, and many fleets are scheduling rebuilds and patches now.

Publishing tokens for the Open VSX marketplace leaked and allowed unauthorized parties to upload or modify extensions and poison update channels. Supply chain risk spiked for developers. Operators revoked affected credentials, audited packages, and urged publishers to rotate secrets while projects explored stricter signing to detect tampering. Users were told to verify authorship and review recent change histories before trusting updates.

Authorities said a developer tied to the Jabber Zeus malware crew is now in the United States, U S, custody. The transfer followed coordination with European partners. Investigators linked the suspect to credential theft and wire fraud schemes that siphoned funds from banks and businesses using web injects. Court proceedings will now begin, and filings are expected to reveal aliases, infrastructure, and timelines relevant to other cases.

Researchers reported that a suspected China linked group exploited a Lanscope endpoint manager zero day before patches were available. They piggybacked on device management workflows. Using policy scripts and trusted channels, the operators pushed updated backdoors to many clients and pried into networks at speed. Vendor guidance is live, and enterprises are applying fixes, rotating administrator credentials, and reviewing console audit logs for unauthorized changes.

Security teams described Airstalk, a technique that hides command traffic inside mobile device management, M D M, workflows to control phones. It piggybacks on enrollment and policy updates. Researchers observed staged payloads, rotating servers, and selective targeting of vendors and their downstream customers, which reduced obvious network noise during exfiltration. Remediation efforts are underway as teams tighten enrollment controls, review third party connectors, and require device attestation before policies reach critical roles.

Researchers described an endpoint detection and response, E D R, redirection method that blinds Microsoft Defender on Windows eleven. It abuses fake Program Files paths. By creating reparse points and lookalike directories, attackers hid activity from endpoint sensors while keeping legitimate applications running without obvious crashes. Microsoft guidance is active now, with Tamper Protection, application control, and integrity checks being pushed across fleets.

Russian authorities detained individuals accused of running the Meduza Stealer service after a prominent government compromise came to light. Police seized servers and databases today. Investigators said the malware siphoned cookies, tokens, and saved passwords from browsers, enabling intruders to reuse sessions and pry into business accounts. Follow on work is underway as teams invalidate tokens, refresh passwords, and review sign ins tied to previously infected devices.

That’s the BareMetalCyber Daily Brief for November 3rd, 2025. For more, visit BareMetalCyber dot com. You can also subscribe to the newsletter and view the archive of previous headlines at daily cyber dot news. We’re back tomorrow.