BMC Daily Cyber News

This is today’s cyber news for October 7th, 2025. You can also subscribe to the newsletter and view the archive of previous headlines at daily cyber news dot com.

Oracle is responding to active attacks against its E-Business Suite, where a previously unknown flaw has been used to steal data tied to finance, procurement, and HR functions. Investigators say the activity looks like ransomware-style data theft aimed at pressuring executives, and several companies saw telltale signs like database export staging and unusual outbound traffic from E-B-S hosts. Custom integrations and exposed interfaces appear to have expanded the attack surface, and that’s why partners with legacy setups are showing more risk. Oracle and service providers are pushing emergency patching and access tightening across the suite. If you run E-B-S, expect downtime approvals, token rotation, and very close monitoring of anything that resembles bulk export behavior while teams work through updates.

Red Hat disclosed a security incident involving stolen internal data from a consulting Git platform while the Shiny Hunters extortion group posted samples and tried to raise the stakes. Claims include large amounts of repository material and customer engagement documents that can contain network diagrams, configurations, and access details. Red Hat says there’s no impact to product supply-chain integrity, but it’s investigating, notifying customers, and adding monitoring around build systems just in case. Screenshots and sample files circulating in criminal channels have heightened anxiety among big enterprise clients who’ve shared artifacts during past engagements. If your organization has received advisory work, treat it like a potential map for attackers and plan to rotate any credentials and tokens that might be referenced in older documents.

Microsoft’s threat intel team reported active exploitation of a maximum-severity bug in GoAnywhere Managed File Transfer, tied to a financially motivated crew known for deploying Medusa ransomware. Attackers are using exposed M-F-T interfaces as entry points, moving straight into data exfiltration and lateral movement after harvesting credentials and dropping web shells. The tactics include rapid compression of outbound data sets and abuse of admin portals that aren’t locked down with strong network controls. Organizations with public-facing M-F-T portals and weak segmentation are the most impacted, and detections show victims across several sectors. The near-term reality is patching, isolating the servers, rotating service accounts, and combing reverse-proxy and firewall logs for suspicious paths and uploads while partners experience temporary disruptions.

A newly disclosed Redis vulnerability allows escape from the Lua scripting sandbox via a use-after-free condition, which can turn a high-performance data store into an attacker’s beachhead. The issue affects common versions and can enable code execution on the host, which then opens doors to credential theft and lateral movement. Maintainers have shipped fixed builds, and researchers have published practical detection tips, but risk remains where Redis is reachable from untrusted networks or where Lua is left enabled by default. Cloud-first teams that use Redis for caching, queues, and microservices are particularly exposed because density is high and changes roll out quickly. Expect emergency maintenance windows, pressure to disable unneeded scripting, and tighter network policies while you upgrade clusters and watch for unusual E-V-A-L usage and crash patterns.

Researchers detailed how a Zimbra Collaboration bug was exploited as a zero-day using malicious iCalendar invites, where simply parsing the dot-I-C-S file could run script payloads. The lures looked like normal meeting requests and triggered with minimal user interaction, and reporting says Brazil’s military and other government users were among the targets. Zimbra has issued updates and guidance, but on-prem deployments often lag, which keeps the window open for mailbox takeover and data theft. Email and calendar parsing now joins document preview as a path around traditional filtering, and that matters for any shop relying on Zimbra or similar platforms. If you’re in that group, push patches, consider temporary blocks on risky attachment types, and keep an eye on mailbox rules, token behavior, and unexpected forwarding patterns.

Researchers disclosed a flaw in the Unity game engine pipeline that can enable code execution on Windows and Android under certain packaging and plugin conditions, and that matters because Unity underpins thousands of games and apps. The weak point is how untrusted assets or modules get validated and loaded at runtime, which is now prompting studios to ship fixes and repackaged builds. App stores and anti-malware vendors are updating detections as well. If your endpoints allow gaming or you manage Android fleets, consider temporary restrictions and monitor E-D-R for suspicious child processes from game executables or unsigned modules beside UnityPlayer binaries.

Dell pushed fixes for a critical bug in UnityVSA virtual storage arrays that allows unauthenticated remote command execution against management services controlling storage, replication, and snapshots. Internet-exposed or poorly segmented arrays are at the highest risk, and customers should verify that upgrades persist across high-availability pairs. Because storage appliances sit right on the backup and operations path, they’re high-value ransomware targets. Approve emergency maintenance, restrict management interfaces to admin subnets with jump-host M-F-A, and watch for unexpected snapshot deletions or replication changes from new IPs.

Researchers published a working proof-of-concept for a Sudo local privilege escalation—C-V-E-twenty twenty-five three two four six three—letting unprivileged Linux users gain root on vulnerable systems. The flaw lives in a rarely audited code path, and while major distros have updates out, the public PoC lowers the skill bar for attackers. Multi-tenant servers and developer workstations are the most exposed if patches lag. Push emergency updates, restrict interactive shells, tighten sudoers policies, and watch for unexpected elevation attempts by service accounts or failed sudo tries followed by privilege changes.

Discord says a third-party support provider was breached, exposing support tickets with email addresses, IPs, and in some cases billing or device details. This didn’t touch Discord’s production systems, but vendor accounts can still give attackers enough to phish users or try account recovery fraud. The company’s rotating credentials, tightening vendor access, and reviewing data retention while notifying affected users. If you manage communities or brand servers, assume targeted scams are coming and lock down admin accounts with phishing-resistant multi-factor authentication and closer monitoring of OAuth grants and token reuse.

Researchers found an internet-exposed cloud database belonging to Rainwalk Pet Insurance that held roughly 158 gigabytes of sensitive customer data without authentication. The bucket was secured after disclosure, but we don’t know how long it was exposed or if criminals accessed it. Smaller, fast-growing firms often stumble on cloud misconfigurations like this, and the fallout is usually fraud and social engineering against policyholders. Standardize data classification, turn on org-level public-access blocks, and deploy continuous misconfiguration scanning so object storage can’t silently drift open.

Doctors Imaging Group reported a breach impacting protected health information for more than 171,800 people, based on regulatory filings. Exposed data may include identifiers, contact details, and scheduling or diagnostic metadata, and while clinical systems are back online, forensics continue. Notifications and credit monitoring are rolling out per HIPAA and state rules. Imaging providers connect to many referral networks and vendors, so review VPN, RDP, and third-party access paths and tighten endpoint detection on imaging modalities and PACS servers to catch unusual DICOM transfers or new admin accounts.

Analysts detailed a long-running campaign by a China-nexus cluster known as UAT-eight-zero-nine-nine that compromises Windows IIS servers to inject SEO spam, steal credentials, and monetize traffic. The operators lean on web shells, weak admin portals, and outdated modules, then rotate their content to stay ahead of takedowns. Victims range from hosting providers to small businesses and public-sector sites, and stolen cookies and passwords fuel wider account takeovers. If you run IIS, harden it, remove unused modules, deploy a managed WAF or CDN, and hunt for web.config changes, rogue scheduled tasks, and suspicious outbound connections from w3wp processes.

A new security contest put up four-and-a-half million dollars to reward exploits against widely used cloud and AI components, with on-site validation and coordinated disclosure. Targets include container runtimes, orchestration layers, model-serving stacks, and identity systems, and major vendors are backing fast-track fixes. Concentrated incentives like this typically surface impactful bugs that many enterprises share, so expect a flurry of patches. Pre-authorize emergency maintenance windows, make sure asset inventories map products to owners, and stage canary environments to test fixes quickly.

Threat actors on an underground forum are advertising what they claim is internal Huawei source code and engineering tools, showing screenshots of repository trees, build scripts, and documentation. The sellers say it spans multiple product lines, but none of the material has been independently verified. Even partial authenticity could help attackers analyze internals faster and craft highly tailored exploits, which raises supply-chain worries for carriers and enterprises that deploy Huawei gear. If you have that footprint, ask the vendor for an assurance statement, verify exactly which models and firmware you run, and tighten provenance checks on updates. Also expect more scanning of device fingerprints and login portals, so restrict management access, route admin actions through jump hosts with multi-factor authentication, and turn up telemetry around admin events.

That’s the BareMetalCyber Daily Brief for October 7th, 2025. For more, visit BareMetalCyber dot com. You can also subscribe to the newsletter and view the archive of previous headlines at daily cyber news dot com. We’re back tomorrow.