Daily Cyber News – October 8th, 2025
This is today’s cyber news for October 8th, 2025. You can also subscribe to the newsletter and view the archive of previous headlines at daily cyber news dot com.
Salesforce says it won’t pay after an extortion crew claimed to steal data tied to a third party, and it’s working with law enforcement while notifying customers and rotating credentials. There’s no disruption to core services, but if contact details were exposed, expect tailored phishing and consent-grab attempts inside connected cloud apps. Multi-tenant software-as-a-service concentrates valuable data, so even limited leaks can ripple into fraud across downstream tenants. If you’re a customer, assume a spike in targeted phish, tighten OAuth app reviews, enforce phishing-resistant multi-factor authentication, and watch for odd API use and access grants referencing recent support interactions.
ShinyHunters rolled out a consolidated leak and extortion portal that lists alleged data from many well-known companies, complete with countdown timers and sample files to increase pressure. Verification varies by target, but a slick presentation lowers the barrier for resale and abuse by other criminals, mimicking ransomware “name-and-shame” tactics even when encryption isn’t used. Once a brand appears, secondary harms—fraud, impersonation, and credential stuffing—tend to accelerate. Firms should pre-authorize a triage workflow across legal, PR, and threat intel so they can confirm or refute listings within hours, and then enforce resets and tighten token hygiene if overlaps are found.
Researchers report the Clop group has been exploiting a flaw in Oracle E-Business Suite—C V E twenty twenty-five six one eight eight two—since August to reach enterprise resource planning environments. After landing, they move laterally into databases and exfiltrate financial and HR records before extortion, and because E B S integrates widely, compromise can echo across supply chains. Treat ERP as critical infrastructure with a dedicated patch window and executive visibility, inventory any internet exposure, lock down admin interfaces, and watch for suspicious concurrent logins and large data exports against payroll or vendor tables while you apply mitigations.
The Medusa ransomware outfit is abusing a newly disclosed issue in GoAnywhere managed file transfer—C V E twenty twenty-five one zero zero three five—to gain initial access to edge-facing file-transfer nodes. After entry, they enumerate, pull archives from repositories, and then stage encryption, echoing past M F T campaigns where one weak link exposed many partners. If you run these systems, take them off the open internet if needed, enforce multi-factor authentication and IP allow-listing, rotate keys, and look for rogue admin accounts, unusual archive downloads, and spikes in outbound transfers while you patch.
A critical Redis flaw nicknamed RediShell—C V E twenty twenty-five four nine eight four four with a maximum C V S S of ten—enables remote code execution through crafted Lua scripts on exposed or misconfigured instances. Cloud-hosted Redis, containerized stacks, and legacy unauthenticated setups are prime targets, and successful exploits can pivot from data tampering to full system control, impacting session data and app availability. Confirm who owns Redis in your org—platform, app, or S R E—apply the fixed release, bind to private networks, require authentication, and, if you’re constrained, disable risky Lua execution paths and monitor for spikes in E V A L and E V A L S H A commands along with port six three seven nine scanning.
C I S A added Zimbra’s C V E twenty twenty-five two seven nine one five to its Known Exploited Vulnerabilities catalog, which means it’s being used in the wild and federal agencies must prioritize remediation. The bug enables code execution during calendar invite parsing, giving attackers mailbox access and a foothold for lateral movement, and many schools, municipalities, and mid-market firms run on-prem Zimbra that can lag patching. Leaders should require an executive-reviewed plan to meet the K E V deadline and confirm vendor support for their version, while defenders patch or mitigate now, restrict external invite handling, and monitor for abnormal mailbox access along with unusual token grants and spikes in dot I C S processing errors.
DraftKings reported account takeovers from credential stuffing, where attackers reused exposed passwords from other breaches against its login pages. Affected users saw unauthorized access and sometimes fraudulent changes to payout settings, and the company is forcing resets and adding rules while helping customers recover. This is part of a broad wave of automated attacks against consumer platforms that hold payment methods or balances. Enable phishing-resistant multi-factor like WebAuthn or push, add velocity and device fingerprinting checks, and rate-limit logins. Watch for login spikes from new networks and bursts of password validation failures on known email lists, and throttle or auto-lock on anomalous cash-out attempts.
Avnet confirmed a security incident involving a third party, with claims that some data was accessed, though it says the stolen information was encrypted or otherwise not readable. Operations continue as investigators validate the scope, and customers and partners are seeking clarity on supplier risk. Large distributors are attractive because they offer reach to many downstream firms, so notifications and regulatory disclosures may follow. Trigger supplier-risk outreach, verify contractual notice and cyber insurance conditions, rotate credentials, review E D I and A P I keys, tighten allow-lists for partner connections, and watch for unauthorized calls from new IP ranges or changes to bank and remittance data in vendor profiles.
Microsoft warned that threat actors are abusing legitimate Teams features, like file sharing and external chats, to deliver malware and steal tokens, and because messages originate inside a trusted app, users are more likely to click or consent. Attackers also exploit OAuth and app consent flows to persist beyond password resets, and email-centric controls often miss these paths. Leaders should review policies for external federation and app consent with clear exceptions, while defenders restrict external chats, require admin consent for high-risk scopes, and monitor token issuance, spikes in external file shares, and unfamiliar app grants.
Intelligence and blockchain analytics estimate North Korean state-linked groups have taken roughly two billion dollars in crypto this year, targeting exchanges, cross-chain bridges, and DeFi protocols through compromised keys and smart-contract weaknesses. Laundering runs through mixers and rapid chain-hopping before conversion, with proceeds believed to support sanctioned weapons programs and front companies. If you operate a high-liquidity venue, elevate this to board visibility. Enforce hardware-backed key custody, strict withdrawal controls, and anomaly detection for contract interactions and large transfers, and watch for odd multi-sig changes, spikes in cross-chain calls, and flows headed to mixers.
We’re also seeing ransomware crews stick around by installing or abusing legitimate remote-access tools—things like AnyDesk, Splashtop, ScreenConnect, and full R M M agents—which blend into normal admin traffic and sometimes auto-reinstall through group policies. That lets attackers quietly stage data, move laterally, and even re-encrypt days after you think you’ve recovered. Leaders should require an executive-approved allow-list of remote tools with centralized logging and ownership. Defenders need to baseline legitimate usage, restrict installs to signed packages and admin groups, and alert on new services and beacons from unusual hosts, plus new installs outside maintenance windows or remote sessions from atypical networks.
Researchers disclosed a prompt-injection technique against Gemini that uses ASCII control or encoded characters to hide instructions and bypass some filters. Google acknowledged the behavior but treated it as out-of-scope for a direct fix, pointing instead to policy and usage mitigations. That means the burden shifts to how your apps wrap and govern the model. Formalize A I risk governance, add input and output filters and retrieval guardrails, isolate model access with least privilege and thorough audit logs, and watch for control-character sequences in prompts as well as spikes in policy-blocked outputs.
A big update to commodity malware XWorm adds more than 35 plugins for credential theft, clipboard hijacking, browser data grabs, and persistence, alongside flexible command-and-control and the abuse of living-off-the-land binaries. It spreads through phishing attachments, cracked software, and malvertising, giving low-skill actors boutique-style capabilities. Leaders should verify E D R coverage and response S L A s across all endpoints, including contractors and B Y O D. Defenders should harden script execution, block common L O L Bins where feasible, enforce browser isolation, and tune detections for clipboard hooks, credential dumping, suspicious rundll32 or regsvr32 usage, and traffic to freshly registered C2 domains.
That’s the BareMetalCyber Daily Brief for October 8th, 2025. For more, visit BareMetalCyber dot com. You can also subscribe to the newsletter and view the archive of previous headlines at daily cyber news dot com. We’re back tomorrow.
