BMC Daily Cyber News

This is today’s cyber news for October 27th, 2025. You can also subscribe to the newsletter and view the archive of previous headlines at daily cyber dot news.

Microsoft rushed an emergency fix because attackers are abusing Windows Server Update Services, or W S U S, to run code and push bad updates. A poisoned update server can silently infect every domain-joined computer in one sweep. Organizations that still rely on on-premises update servers without strict change control are most exposed. Watch for new local administrator accounts right after updates and unusual outbound traffic from the W S U S host. Your next step is to patch W S U S now, or pause approvals and check that no rogue updates went out in the last seventy-two hours.

Amazon explained that a failure in the Domain Name System, or D N S, caused a chain reaction inside Amazon Web Services, or A W S, leading to hours of sign-in and checkout trouble. That matters because single-region, single-cloud designs leave critical customer journeys fragile. Teams with manual or untested failover were hit the hardest. Watch for spikes in server errors and health checks that flip rapidly between passing and failing. Your next step is to prove automatic multi-region failover for your top three transactions and throttle retries to prevent cascading outages.

Researchers warned that a new flaw in BIND lets attackers poison resolver caches and redirect users to fake sites. That is important because compromised D N S breaks trust for logins, software updates, and payments. Organizations running internet-facing or legacy recursive resolvers are most exposed. Watch for sudden S E R V F A I L spikes, unexpected changes to which servers claim authority, and odd time-to-live values. Your next step is to update BIND, enable D N S S E C, and restrict recursion to internal networks.

LockBit returned with faster ransomware that targets Windows, Linux, and VMware E S X I hypervisors. This matters because quicker encryption and shorter dwell times raise the odds of real business disruption. Mid-market firms with flat networks and unsegmented virtualization clusters are most exposed. Watch for surprise snapshots, datastore input-output spikes, and new traffic to anonymity networks like T O R. Your next step is to enforce multi-factor authentication, or M F A, on remote access, patch edge devices, segment E S X I hosts, and confirm offline backup restores actually work.

Attackers are taking over WordPress sites by abusing old, unpatched plugins that many sites still run. That matters because hijacked sites lead to web shells, rogue administrators, spam, and payment skimming. Small teams on shared hosting with weak update hygiene are most exposed. Watch for new P H P files in uploads, changes to w p dash config dot p h p, and bursts of P O S T requests to admin dash ajax dot p h p. Your next step is to update or remove risky plugins, lock file writes, and verify no new administrators or shells exist.

Developers are being hit by a self-spreading worm that hides inside Visual Studio Code extensions, nicknamed GlassWorm. It matters because one poisoned extension can taint builds and release pipelines across teams. Groups that allow unsigned extensions or lack workstation endpoint detection and response are most exposed. Watch for sudden additions of post-install scripts in package dot json and unusual access to command line credentials after hours. Your next step is to lock V S Code to approved publishers, rotate developer tokens, and compare reproducible builds before release.

A convincing “you’ve inherited a vault” lure is targeting LastPass users with branded phishing pages. It matters because victims are tricked into handing over master passwords and multi-factor prompts by a workflow they recognize. Consumers and small businesses without phishing-resistant authentication are most exposed. Watch for spikes in I M A P or P O P logins from new internet addresses and unusual device approvals for password vaults. Your next step is to require F I D O 2 or passkeys for admin vaults and verify any inheritance request only inside the app, not by email link.

Threat actors are abusing Microsoft Copilot Studio agents to present OAuth consent screens that look trustworthy on real Microsoft domains. That is risky because users grant excessive permissions to attacker-controlled apps, enabling mailbox access and persistent tokens. Tenants that allow user consent by default and lack app governance are most exposed. Watch for new service principals, high-scope Graph A P I activity, and sudden inbox rule creation within an hour of consent. Your next step is to disable user consent for risky scopes and require admin approval tied to a ticketed business need.

Researchers linked the Smishing Triad to an S M S phishing network that used about one hundred ninety-four thousand domains. It matters because text messages now drive fast account theft and payment fraud at consumer scale. Banks, delivery firms, and mobile carriers with widely recognized brands—and their customers—are most exposed. Watch for spikes in multi-factor reset requests and traffic from new domains that mimic brand short links. Your next step is to implement brand-protected sender programs and lock down high-risk transactions with step-up authentication.

A fake “Telegram X” Android app is being pushed to trick people into sideloading malware. Once installed, it grabs accessibility and notification permissions to steal session tokens and intercept one-time passcodes. Bring-your-own-device programs and small teams that allow sideloading are the most exposed. Watch for unusual device approvals for messaging apps and spikes in failed M F A tied to Android WebView logins. Your next step is to block sideloading and require verified store installs before any work data access.

North Korea-linked Lazarus is targeting European drone makers with “Dream Job” lures. The messages deliver weaponized documents and installers that set up remote access and credential theft on engineering machines. Mid-size aerospace contractors without mature security teams are the most exposed. Watch for unsigned loaders, new scheduled tasks, and large archive exfiltration from design workstations. Your next step is to enforce phishing-resistant authentication and tighten contractor access to need-to-know only.

A China-nexus group began exploiting a freshly patched Microsoft SharePoint flaw within days of the fix. Unpatched servers were used to drop web shells, create service accounts, and collect data from collaboration sites. Public-facing SharePoint and hybrid environments with slow change windows are the most exposed. Watch for unexpected web dot config edits, newly added dot A S P X files, and new SharePoint app pools or service principals. Your next step is to patch immediately and remove any unknown shells or accounts you find.

Pwn2Own Ireland surfaced seventy-three zero-days across phones, routers, storage, and common apps. Several teams chained multiple bugs for full device compromise, and vendors are now racing to ship fixes. Organizations with unmanaged consumer-grade devices on corporate networks are the most exposed. Watch for vendor advisories referencing contest identifiers and device reboots following firmware updates. Your next step is to map impacted products, enable automatic updates where safe, and plan emergency patch windows.

Russia’s veterinary and food tracking systems were hit by D D O S, delaying shipments nationwide. The portals timed out, restorations came in waves, and backlogs grew while validators caught up. Food producers, logistics hubs, and exporters that rely on centralized digital certificates are the most exposed. Watch for surges in layer-seven P O S T traffic to validation endpoints and error spikes in the queues behind those services. Your next step is to pre-contract D D O S mitigation and test offline or paper workflows for a four-hour outage.

TP-Link Omada and Festa V P N gateways have critical flaws that let attackers run commands as root without logging in. That matters because a compromised gateway can expose all network traffic and give intruders a fast pivot into internal systems. Small and mid-size firms using affordable all-in-one edge devices are the most exposed. Watch for spikes in P O S T requests to management endpoints and unusual S S H sessions initiated from the gateway into servers. Your next step is to patch immediately, disable internet-facing management, and rotate administrator and V P N credentials.