BMC Daily Cyber News

This is today’s cyber news for October 3rd, 2025. You can also find more headlines at daily cyber news dot com.

Red Hat says attackers accessed an internal GitLab instance, and a data broker now claims to be selling roughly five hundred seventy gigabytes taken from source repositories and support artifacts. The most sensitive piece appears to be Customer Engagement Records—case files and diagnostic bundles that can include logs, stack traces, and limited customer metadata. There’s no sign that product signing keys were touched, and public package repositories remain intact, but any exposed tokens or embedded credentials in private projects raise supply-chain risk. Expect staged disclosures as forensics finish and secrets are rotated. If you rely on Red Hat services, review what you’ve ever attached to tickets, scrub sensitive values from future uploads, rotate any tokens that may have been shared in past cases, and keep an eye out for look-alike repositories or malicious forks that try to piggyback on the news.

Microsoft is rolling out a change to Outlook that blocks inline S V G images from rendering by default. Attackers have abused S V G as a delivery layer, packing clickable shapes and layered redirects that slip past user skepticism and some filters. Turning this off by default removes a stealthy lure used in credential-phishing and malware campaigns. The update should reach current Outlook builds and Microsoft three sixty-five tenants, with admin controls if organizations need exceptions. You should still expect pivots toward other content, like H T M L smuggling or booby-trapped calendar invites. Watch your mailflow for spikes in blocked content, tighten Safe Links and Safe Attachments, and remind users that image-only emails can still be dangerous even when they look clean.

A newly disclosed bug in DrayTek Vigor small-business routers allows remote code execution through the web interface without authentication. The identifier is C V E twenty twenty-five dash ten five four seven. Because many of these devices expose management to the internet for convenience, exploitation is likely to be fast once proof-of-concept code appears. A successful attack gives full device control at the edge—ideal for traffic inspection, DNS tampering, and footholds for ransomware crews. DrayTek has posted fixed firmware for supported models, but older hardware may remain without updates. Your priorities: identify any internet-facing Vigor gear, patch immediately, and disable remote administration or gate it behind a management V P N. After updating, verify DNS settings, syslog targets, and any custom scripts to catch persistence, and consider moving to a standard build process with periodic configuration drift checks.

Researchers detailed a trio of weaknesses—nicknamed the Gemini Trifecta—that let crafted content hijack Gemini-powered assistants, pivot through connected apps, and exfiltrate sensitive context like recent prompts or document snippets. The risk comes from “AI extensions,” where an assistant inherits permissions from mail, drive, or chat integrations and turns a single prompt into a data-layer breach. Google has shipped mitigations, but durable defenses require tighter connector scopes, output filtering, and tenant-level guardrails. If your teams are experimenting with assistants tied into productivity suites, revisit usage policies now: restrict third-party extensions, add data loss prevention controls on generated outputs, and plan a red-team exercise focused on prompt injection and tool-use abuse so you understand how these systems behave at the edges.

A rogue Python package named “soopsocks” masqueraded as a proxy helper but actually pulled down a Windows payload, added persistence, and opened a backdoor for follow-on commands. The author used typosquatting and sparse documentation to avoid scrutiny, relying on post-install scripts to fetch the binary. Telemetry shows a couple thousand downloads before trust and safety teams removed it, but any developer workstation that executed the package could still be compromised. Treat “pip install” as a sensitive operation: scan endpoints for new services and scheduled tasks, hunt for odd outbound connections, and rotate any tokens kept in environment variables or local credential helpers. Enforce lockfiles and hash-pinning for production, and consider a private mirror with policy checks so banned packages never reach your build systems.

Admins reported a flood of “suspicious firmware update” notifications tied to legitimate Dell BIOS utilities, traced to an overly aggressive heuristic in Microsoft Defender. That noise led some teams to quarantine approved executables and delay routine firmware baselines, even though there wasn’t evidence of a real supply-chain compromise. Microsoft has tuned the detection and Dell reiterated guidance on using vendor-signed packages from official channels. If your environment was affected, review any automated responses triggered during the surge, restore quarantined files that are known-good, and verify that patching windows weren’t silently skipped. A short-term allow-list for signed vendor firmware tools can help, but keep strict controls around driver installs and kernel-mode code so you don’t widen the attack surface.

Researchers found flaws in a low-cost YoLink smart hub that manages sensors, locks, and environmental monitors, enabling remote attackers to pair rogue devices, intercept traffic, or issue commands without local access. Because these hubs bridge proprietary sub-gigahertz radios to the internet, a single compromise can cascade across a home’s devices. Patches are rolling out, but fragmentation in consumer IoT means many hubs won’t update quickly, if at all. If you own one, apply firmware updates in the companion app, disable remote control features you don’t need, and place smart-home gear on a separate network with limited access to laptops and work systems. For organizations with remote staff, treat consumer hubs as untrusted and block their management traffic on corporate networks.

Executives at multiple firms report emails claiming theft of Oracle E-Business Suite data and threatening publication unless paid, with the tone and infrastructure resembling earlier Cl0p-style shakedowns. Some claims appear opportunistic rather than tied to confirmed intrusions, but the messages are still generating triage work for organizations that rely on E B S for enterprise resource planning, human resources, and supply chain. Validate any compromise claims with logs, identity provider alerts, and data loss prevention signals before responding. Lock down E B S exposure to the internet, review integrations and file-transfer connectors, and treat any “proof” screenshots as potentially fabricated until you can confirm data lineage. The goal is to avoid paying on bluffs while being ready to respond if a real breach is uncovered.

Ukraine’s incident response team says a group tracked as U A C dash zero two four five is delivering a remote access tool called CabinetRat using Excel add-ins, the dot X L L files. When users enable the add-in, the loader plants persistence and starts beaconing for commands, file exfiltration, and screenshots. The lures look like invoices and logistics updates, and the operators churn through infrastructure to dodge blocks. Because X L Ls load as native code, some defenses treat them like normal Excel behavior. If your users handle spreadsheets from outside partners, consider a policy to block X L L files entirely, watch for child processes spawned by Excel, and hunt for new Run keys or scheduled tasks created just after someone opens a suspicious sheet.

The long-running Confucius group resurfaced with spear-phishing against Pakistani organizations, dropping a two-stage toolset: WooperStealer to grab credentials and browser data, followed by Anondoor for persistent access. The emails use geopolitical themes and spoofed government senders. The tradecraft overlaps with previous Confucius activity, suggesting an incremental evolution rather than a clean re-tool. The operators prioritize documents, chat exports, and screenshots that support intelligence collection. If you have exposure in the region—or you partner with teams that do—tighten email authentication checks, block scriptable archive formats at the gateway, and enable application control so unsigned loaders don’t run. On the network side, look for small, periodic posts to freshly registered domains and unusual OAuth grants on user mailboxes.

Researchers tracking a cluster dubbed Phantom Taurus report continued targeting of telecom and government entities with a custom backdoor they call Net-Star. The campaigns lean on living-off-the-land techniques—PowerShell stagers, scheduled tasks, and DLL search-order hijacking—to stay quiet. Early in the intrusion they focus on credential theft and mailbox enumeration, then stage data selectively to cloud storage to reduce noise. Toolmarks connect recent incidents to activity seen over several years, pointing to a mature actor with stable objectives. If you’re in telecom, satellite services, or public administration, harden identity paths, require phishing-resistant multi-factor authentication for admins, and monitor for suspicious OAuth app grants that can enable stealthy mailbox access even when passwords are locked down.

A broad email campaign is swapping macro documents for ZIP archives that contain Windows shortcut files, the dot L N K format. Double-clicking the shortcut executes a hidden command that runs a bundled script or fetches a payload from the web, often staging information-stealers. The trick works because many users think a shortcut is harmless and some older filters don’t scrutinize it well. Variants chain M S H T A or PowerShell and set persistence with simple registry edits. To blunt this, block shortcut execution from temp and downloads folders, disable script interpreters for standard users, and strip archives that contain dot L N K files at the secure email gateway. Training should call out that shortcuts are executable launchers, not documents.

Bug hunters on the HackerOne platform earned about eighty-one million dollars over the last year. The payouts skew toward critical, widely deployed products and internet-facing services as more organizations expand program scope. Defense and fintech continue to raise rewards for impactful bugs like authentication bypasses and dangerous deserialization. For leaders, this data is a signal: where researchers find value is where your attack surface matters. Use bounty metrics to help prioritize hardening, and make sure your internal triage keeps pace so valid reports don’t languish. For engineering teams, fold the most common bounty-found bug classes into secure coding training, add pre-commit checks, and measure whether those changes actually reduce submissions in the same categories over time.

The privacy-first Brave browser has crossed one hundred million monthly active users, which is a real signal that defaults like tracker blocking, stricter cookie handling, and automatic H T T P S upgrades have moved from niche to mainstream. That growth matters because browser share drives which extension ecosystems and identity flows I T must support. It also means some legacy analytics and single sign-on edge cases may break when apps depend on third-party cookies or cross-site storage. If your business relies on web apps with older auth patterns, test them in Brave now, document any exceptions, and use device management to enforce extension allow-lists. For developers, prefer standards-based sign-in like O I D C with P K C E and keep tokens in first-party storage so your apps behave across hardened browsers without special cases.

Renault’s U K arm says a marketing and customer-care vendor exposed a dataset with names, contact details, and vehicle identifiers like V I Ns for an undisclosed number of customers. While it’s not payment data, V I N-tied records can power convincing phishing and service-scam calls, especially when combined with leaks from other places. Production systems weren’t impacted, but notifications and support channels are live. The lesson is familiar: non-core vendors often hold identity-rich data with weaker controls than the primary C R M. Automakers and dealers should enforce strict least-privilege sharing, require hardware-bound multi-factor authentication for vendor access, and time-limit data exports. If you’re a customer, treat “service reminders” and warranty offers with skepticism, especially when they reference your specific vehicle details or pressure you to act quickly.

Investigators found that a cloud-hosted database used by Archer Health was left exposed without proper authentication, revealing roughly one hundred forty-five thousand patient records. The dataset included names, contact information, limited clinical notes, and appointment details. This looks like a misconfiguration rather than an active intrusion, but the data is still valuable for insurance fraud and targeted phishing. Healthcare continues to struggle with rapid vendor onboarding and sprawling data lakes that outpace governance. Near-term fixes include rotating any A P I keys tied to the dataset, turning on default-deny network policies, and enforcing automated checks for open cloud storage and databases. Patients should be offered credit monitoring and warned about “verification” calls that ask for insurance numbers or prescription details—those are classic follow-on scams after a healthcare exposure.

That’s the BareMetalCyber Daily Brief for October 3rd, 2025. For more, visit BareMetalCyber dot com, and listen daily at daily cyber news dot com. Thanks for listening. We’re back Monday!.