BMC Daily Cyber News

This is today’s cyber news for November fifth, twenty twenty-five. You can also subscribe to the newsletter and view the archive of previous headlines at daily cyber dot news.

Overnight, researchers revealed flaws in Microsoft Teams that let an attacker spoof a coworker and alter chat content. One example showed payment instructions edited inside a channel where approvals usually happen, turning a simple message into a misleading order. The mechanism involved crafted requests that impersonated trusted identities, which muddled audit trails and pried open room for invoice fraud. Microsoft acknowledged the issues, shipped updates, and is still investigating where governance changes are needed.

Meanwhile, Google Play hosted dozens of malicious Android apps that collectively amassed about forty-two million downloads before takedowns. Titles posed as utilities and photo tools, then quietly pulled extra code to harvest data and spray aggressive advertising once installed. The scheme leaned on name changes, fresh publishers, and staggered updates to piggyback on store trust and slip past basic reviews. Google removed many listings, banned related developer accounts, and is blocking associated networks.

Today, Nikkei disclosed that attackers accessed a Slack workspace used by roughly seventeen thousand employees and partners. Exposed details include names, email addresses, and channel histories that reference projects and access context valuable to social engineers. The intrusion relied on stolen tokens and permissive integrations that granted wide visibility across internal conversations. Nikkei revoked suspect tokens, tightened access, notified regulators, and continues to review logs for misuse.

Soon after, agencies and enterprises reported China-linked probing of Cisco firewalls positioned at the internet edge. In several cases, weak or stolen credentials opened the door, letting operators establish persistence and pivot toward identity and management systems. The tradecraft favored living-off-the-land actions and careful log pruning to quietly sustain access through normal patch cycles. Cisco published hardening guidance and indicators, and defenders are rotating credentials and increasing perimeter logging.

Finally, analysts documented a backdoor called SesameOp that hides its beacons inside traffic that looks like calls to OpenAI services. The trick camouflages command and control by mimicking application programming interface, A P I, requests that many teams allow by default. Once established, the implant can fetch tasks, exfiltrate small chunks, and update modules while blending into routine artificial intelligence, A I, usage. Investigations are ongoing, and teams are adding egress checks that validate request headers, methods, and payload sizes.

Researchers disclosed a vulnerability in the Post S M T P plugin for WordPress that enables attackers to reset passwords or create privileged sessions. One public scan showed automated attempts against sites with hundreds of thousands of installs, including storefronts and donation pages. The mechanism abuses weak flows in the email utility to trigger account changes and then quietly modify themes or payment scripts after hours. Maintainers issued a fixed version, and hosting providers began pushing mitigations where they could.

Today, maintainers of the React Native command line interface, C L I, patched a high-severity issue that could execute remote code on developer laptops. A concrete case involved a project template that fetched scripts from an untrusted source during scaffolding and then spawned unexpected processes. The pathway piggybacked on developer convenience where tokens, signing keys, and cloud roles often live side by side on the same machine. Updates are available, and teams are tightening defaults and rotating developer credentials.

Google released the monthly Android update to fix a critical flaw that allowed remote code execution at the system level. Billions of eligible devices depend on vendors and carriers for rollout timing, and many fleets will wait weeks. The attack used crafted content delivered by normal apps or browsing paths to trigger the vulnerable component and seize control. Pixel devices received patches immediately, while other models entered staged release cycles.

Meanwhile, a trojanized extension on the Open V S X marketplace handed remote access to Windows systems before it was removed. About fourteen thousand downloads were recorded, and the extension posed as a helpful developer tool while it quietly pulled a second-stage payload. The route exploited the trust users place in integrated development environments, I D Es, and self-serve extension installs that often lack centralized review. Moderators banned the publisher, shared indicators, and tightened submission checks.

Law enforcement across several countries dismantled a crypto investment scam network after coordinated raids and seizures. Authorities estimated roughly six hundred million euros in losses, and evidence included call center scripts, victim lists, and server images. The fraud fused boiler-room telemarketing with web dashboards that mimicked real exchanges, which lured small businesses and retail investors into steady deposits. Agencies froze assets, arrested suspects, and signaled more charges as data is processed.

Liquidity pools on Balancer, the decentralized finance, D E F I, protocol, suffered a major exploit that siphoned more than one hundred million dollars. Attackers manipulated pool logic and routed stolen funds through mixers and cross-chain bridges, which blurred money trails and slowed responders. Core contracts were paused, exchanges were warned, and addresses linked to the theft were flagged to limit cash-outs. A post-mortem is underway to explain the weakness and map fixes for contract logic and controls.

Google’s artificial intelligence, A I, fuzzing project known as Big Sleep helped Apple fix multiple WebKit issues in Safari. The flaws centered on memory safety problems that could cause crashes or, in some cases, code execution in the browser engine. Updates shipped across supported mac O S and i O S versions with staggered availability by region and device, and neither company reported active exploitation. Users are being prompted to install the latest releases while management systems enforce minimum browser versions for business access.

After October updates, some Windows ten machines displayed false end of support warnings. The banner triggered premature upgrade tickets and change activity, which disrupted normal schedules in larger fleets. The issue stemmed from servicing detection that misread status and pushed the pop up despite devices remaining in support. Microsoft acknowledged the problem, offered suppression guidance, and prepared a corrective update.

Microsoft announced it will retire Application Guard for Office by twenty twenty-seven. One example showed a workflow that relied on the isolation container for untrusted supplier documents, which hid risks in day to day exchanges. The change removes a virtualization based safety net and shifts protection toward Protected View, Defender signals, and conditional access controls. Timelines and migration guidance are published, and enterprises are beginning trials of layered replacements.

Microsoft said Entra I D will automatically revoke and clear cached credentials when a phone is flagged as rooted or jailbroken. A concrete case involves a contractor device that suddenly loses access once compliance checks declare it compromised. The mechanism ties device health signals to token cleanup, which cuts off lingering access that could bypass manual revocation. Admins are tuning thresholds and testing the wipe and reissue flow to reduce user disruption.

Researchers reported that the JobMonster WordPress theme contains a flaw that can grant administrative rights in certain configurations. A visible example is a public facing careers site where registration and profile features expose the vulnerable path to privilege escalation. The route lets an attacker create or elevate accounts and then alter templates or inject skimmers into hiring pages. A patched release exists, and site owners are updating and restricting registration while they verify versions.

That’s the BareMetalCyber Daily Brief for November fifth, twenty twenty-five. For more, visit BareMetalCyber dot com. You can also subscribe to the newsletter and view the archive of previous headlines at daily cyber dot news. We’re back tomorrow.