BMC Daily Cyber News

This is the Bare Metal Cyber Daily Brief. You can also read online at daily cyber dot news or bare metal cyber dot com. Lets get started!

Airports across Europe struggled after a ransomware attack hit Collins Aerospace, a key vendor that powers check-in and boarding systems. Heathrow, Brussels, and Berlin reported delays and cancellations. Airlines fell back to manual processes, extended cut-off times, and tried to keep schedules moving. Early signs pointed to issues in the shared check-in platform used by many carriers. Europe’s cyber agency and the UK’s security center engaged, while Collins’ parent shared only limited details. Incidents like this show how one supplier can slow an entire sector. Expect a careful recovery with credential resets, phased service restarts, and long forensic checks. Watch for copycat attempts against ground-handling vendors and operational technology. If you run third-party critical systems, rehearse manual fallbacks and test weekend change windows.

Stellantis, the automaker behind Jeep and Dodge, confirmed a breach tied to a third-party platform supporting its North American customer service. Early statements say the exposed data looks like contact information, not Social Security numbers or payment data. The company activated incident response, notified regulators, and is informing affected people. Some reports connect the event to a broader issue in the supplier ecosystem. Dealers now face the risk of phishing that pretends to be warranty or recall outreach. Expect updates as the provider posts indicators and as the scope gets clearer. If you manage dealer portals or customer service tools, review data flows, tighten what your vendors can see, and add takedown playbooks for fake dealer sites. Segmentation and minimal data copies reduce the blast radius the next time a partner is hit.

Researchers disclosed a severe identity flaw in Microsoft Entra I D, formerly Azure Active Directory. The bug, tracked as C V E twenty twenty-five five five two four one, scored a perfect ten on the severity scale. In the worst case, attackers could impersonate any user across any tenant, including Global Administrators. Microsoft says it fixed the issue in mid-July and has no evidence of real-world exploitation. Even so, the class of failure is dangerous because it breaks the trust boundary in tokens. Security teams should audit privileged apps, rotate secrets, and tighten Conditional Access. Review sign-in logs around the fix window, looking for odd service principal activity. If you work with managed service providers or have business-to-business sharing, check delegated permissions and consent. Identity is the new perimeter, so do not leave legacy token libraries unchecked.

Mac users are being targeted by fake GitHub pages and search ads that push trojanized installers. The payload is the Atomic infostealer, also called A M O S. It grabs browser passwords, crypto wallets, and system details. Recent builds appear to add a backdoor for long-term access. The lures look like popular utilities, complete with cloned project pages and convincing readme files. People are tricked into downloading from search results rather than official maintainers. The defense is simple but strict. Enforce notarization checks. Restrict unsigned apps. Verify the maintainer before installing. Monitor for unusual access to Keychain and browser credential stores. End users should avoid installers promoted through ads. Security teams should assume persistence if infection is suspected and reimage devices. Expect quick re-spins of these same brands and look-alike repository names as takedowns happen.

A new proof-of-concept named E D R Freeze shows a way to suspend endpoint defenses using Windows Error Reporting. The tool runs from user mode, calling legitimate diagnostic functions to push agents into a kind of hibernation. Unlike older tricks, it does not need a vulnerable driver. That lowers the barrier for hands-on attackers who want a brief window to steal credentials or move laterally without alarms. The method will leave traces, but those traces are easy to miss in busy logs. Vendors will rush to harden self-protection and detect abuse of the reporting system. Blue teams can hunt for unusual error reporting calls, sudden dumps, and gaps in telemetry. Restrict debugger-style privileges and validate that tamper protection can stop user-mode suspension. Expect this idea to appear in red-team kits and, eventually, commodity crimeware.

A misconfigured Department of Homeland Security data hub left sensitive intelligence exposed to thousands of users for two months in 2023. The flaw, revealed in an internal memo obtained under FOIA, allowed contractors, private sector workers, and even some foreign nationals to browse information tied to surveillance programs. The exposure was not a traditional breach but an access control failure inside a platform meant to centralize data sharing. DHS has since tightened permissions and is reviewing entitlement models, but the fallout continues. Oversight committees are already asking how “minimum necessary” principles could be ignored at this scale. For security leaders, the takeaway is clear: internal sprawl can be as dangerous as an external hack. Inventory who can see what, cut dormant accounts, and force risk-based reviews on federated datasets before they grow unmanageable.

Researchers at Radware demonstrated a technique they call ShadowLeak, showing how an AI research agent could be manipulated into exposing private Gmail data. The proof-of-concept targeted an autonomous system designed to browse the web and user documents to create reports. By planting crafted content, the researchers tricked the agent into fetching sensitive emails and leaking them without the user ever clicking a link. It highlights a new attack surface: chained tools with mismatched trust levels. Email itself wasn’t broken, but the agent’s workflow crossed boundaries without guardrails. Organizations testing AI agents should sandbox connectors, enforce strong allowlists, and log every action. Red teams should add prompt injection and tool-handoff scenarios to their test plans. As more enterprises hand over routine tasks to agents, the risk of invisible data exfiltration grows unless controls evolve just as quickly.

Jaguar Land Rover has endured nearly three weeks of halted production after a cyberattack spread across its systems, leaving factories idle and suppliers under strain. Normally the automaker produces about a thousand vehicles a day, but staff at multiple UK plants were sent home while systems remained offline. Officials have said little, but the duration suggests deep impact to core planning and identity systems, not just edge devices. Suppliers now face liquidity problems as orders stall, raising the risk of knock-on bankruptcies if delays persist. Recovery will likely involve phased restarts, revalidating scheduling data, and careful cleaning of compromised domains. For other manufacturers, this is a warning shot: complex supply chains amplify downtime. Preparation means keeping golden system images, rehearsing “dirty restore” scenarios, and ensuring identity services have break-glass recovery options when domain trust is lost.

The FBI has issued a warning about spoofed websites impersonating its Internet Crime Complaint Center, known as IC3. Fraudsters created lookalike domains that capture personal details and incident reports from people who believe they are filing official complaints. That information can then be used for identity theft, extortion, or more targeted scams. The FBI urges the public to double-check web addresses and remember that the real IC3 operates under the .gov domain. For organizations, the lesson is broader: employees and customers alike can be misled by convincing clones of trusted government sites. Security teams should block known spoof domains, add educational banners in browsers, and prepare scripts to reassure and redirect victims. As impersonation campaigns grow, especially with AI-generated branding, vigilance around even familiar websites is essential.

Scattered Spider, the notorious threat group previously tied to high-profile breaches in casinos and retail, is back in action and now focused on the financial sector. Despite announcing a so-called retirement, researchers confirm the group has resumed operations with a new emphasis on banks and insurers. Their tactics remain centered on identity theft: SIM swapping, help-desk social engineering, and multi-factor authentication bypass. Financial organizations are especially attractive targets due to direct access to funds and customer records. Experts warn institutions to harden account recovery procedures, adopt hardware-based MFA, and prepare rapid lockout capabilities for compromised staff accounts. Because the group often uses extortion, firms should also pre-plan legal reviews and communications playbooks. The return of Scattered Spider underlines the need to assume adversaries never truly retire—they pivot, rebrand, and reappear with sharper focus.

The UK’s intelligence agency MI6 has launched a dark-web platform called “Silent Courier” to let individuals securely share secrets. The service, announced September 19, is designed for whistleblowers and potential sources—particularly in Russia—who may face surveillance or repression. It runs on the Tor network to mask user identity and location, and MI6 has issued guidance to minimize digital traces. The move shows intelligence services adapting to today’s environment, where encrypted apps and metadata monitoring make safe contact harder. For potential informants, Silent Courier offers an official channel, but it also creates opportunities for spoofing by adversaries. Security professionals should anticipate phishing or clone sites masquerading as the real portal. Journalists and NGOs may need to help educate sources about verifying authenticity. The development underscores how the dark web is not only a criminal space but also a platform for statecraft.

A verified Steam game named “BlockBlasters” turned malicious weeks after release, draining $32,000 from a streamer’s crypto wallet earmarked for cancer treatment. Initially safe, the platformer game quietly added a cryptodrainer component in late August. Because it had already gathered positive reviews and carried a “verified” tag, players had little reason to suspect foul play. The case exposes blind spots in platform moderation, where late-stage updates can slip in harmful code before detection. Steam pulled the game once reports surfaced, but the financial damage was already done. Gamers should treat game updates with the same caution as unknown executables, especially when wallets or browser extensions are active. For developers, the episode illustrates the need for code signing and continuous auditing. Expect attackers to target indie games and mods next, using delayed-payload tactics to bypass early vetting.

A campaign targeting Belarus, Kazakhstan, and Russia is using phishing emails to deliver Formbook malware, according to researchers. The operation, run by groups labeled ComicForm and SectorJ149, uses lures like fake invoices and “documents awaiting signature” to coax recipients into opening compressed archives. Inside, scripts and loaders trigger Formbook, a known credential stealer that harvests browser passwords, screenshots, and keystrokes. Victims include industrial, financial, biotech, and research sectors. The tooling is unsophisticated but persistent, relying on volume and regional familiarity rather than novelty. Defenders should watch for RAR archive attachments, suspicious use of regsvr32 or rundll32, and sudden access to password managers after email events. User awareness in affected regions is also key, as the phishing themes exploit local business practices. Analysts warn the same infrastructure could pivot quickly to nearby markets if pressure increases.

Europol announced that an international task force identified 51 children in an online abuse investigation using AI-assisted forensics. Officers from 18 countries gathered in The Hague, where they reviewed more than 5,000 media files over two weeks. AI tools helped match background objects, locations, and patterns that linked cases together, speeding up victim identification. The operation also led to 60 suspects facing prosecution. The use of AI in forensics highlights both potential and risk: faster results, but with the need for transparency and audit trails to ensure evidence holds up in court. Europol emphasized that human investigators validated AI suggestions, showing a model for blending automation with expert judgment. Expect broader adoption of similar tools across law enforcement, provided governance frameworks remain strong. For the security community, it’s a reminder that AI can serve both attackers and defenders, depending on who wields it.

Mozilla rolled out a new feature that lets Firefox add-on developers quickly roll back bad updates. If an extension update breaks functionality or introduces issues, developers can now revert to an earlier approved version. Once rolled back, users who updated are automatically shifted back within a day, and new installs are blocked from pulling the broken build. This improvement narrows the window of exposure from buggy or potentially risky updates. It also reduces stress on IT admins, who previously had to scramble to contain extension failures through manual policies. For enterprise users, the advice remains to monitor extension permissions closely and pin mission-critical add-ons. But with rollbacks built into the distribution pipeline, the risk of downtime or compromised features should decline. Other browser ecosystems may feel pressure to follow Mozilla’s lead, given how widespread extension issues can be.

Microsoft has lifted a block that prevented certain devices from updating to Windows 11 version 24H2. The hold stemmed from a bug in face-detection features that caused freezes in apps like Camera, Windows Hello login, and other software using object recognition. After shipping a fix, Redmond cleared the way for affected devices to resume upgrading. Enterprises that delayed rollouts should still validate camera-heavy workflows, including conferencing and biometric logins, before greenlighting broader deployment. As more platform features incorporate AI-driven vision, stability of these components becomes mission critical. To stay ahead, test driver compatibility, enroll hardware in pilot groups, and retain fallback machines. This event underscores how features once seen as “extras,” like face detection, can impact business continuity if they fail.

The American Archive of Public Broadcasting quietly patched a bug that allowed unrestricted downloading of protected and private media. The flaw, reported by a researcher, had reportedly been exploited since at least 2021. Despite earlier warnings, the vulnerability lingered until this month, when a renewed alert led to a fix within 48 hours. AAPB confirmed the issue was resolved and stressed its commitment to protecting restricted historical content. The episode highlights how cultural and nonprofit organizations can struggle with sustained security resourcing, even when handling sensitive digital material. Operators of archives or media platforms should audit for direct-object reference flaws, strengthen URL signing, and validate access controls. With automated scraping tools common, institutions must assume attempts at mass download. For the public, this case illustrates how long-standing weaknesses can persist unnoticed without consistent external pressure.

Microsoft acknowledged that recent Windows 11 24 H 2 updates broke playback of DRM-protected content in some apps. Users experienced freezes, black screens, and failures in digital TV and Blu-ray software after installing the August preview or later updates. The issue affects applications that depend on Enhanced Video Renderer paths. Microsoft has confirmed the problem and documented it, while working on a fix. For IT, the risks extend to training portals, regulated environments, or entertainment platforms that rely on protected playback. Organizations should consider pausing updates on affected systems, monitoring the Windows Release Health dashboard, and testing alternative players. Enterprises with strict media review workflows should prepare interim guidance for staff. This incident also reflects the fragility of DRM ecosystems, where small changes can break entire playback pipelines.

Authorities in Las Vegas charged a teenage suspect for cyberattacks against Caesars Entertainment and MGM Resorts, two of the city’s largest casinos. The teen surrendered to juvenile detention and now faces multiple counts, including identity misuse, extortion, and computer crimes. Investigators say the tactics align with Scattered Spider, a group notorious for social engineering and cloud account takeovers. The case shows how sophisticated criminal methods are accessible to young actors, aided by online breach tutorials and forums. For the casino industry, the attacks underscored the fragility of customer-facing systems, with disruptions rippling across hotels, gaming floors, and reservations. Regulators and insurers are expected to scrutinize how operators strengthen identity controls, train staff, and enforce multi-factor authentication. The charges may be only the first in a wider crackdown.

That’s todays BareMetalCyber Daily Brief. For more, visit Daily Cyber dot News or Bare Metal Cyber dot com. Thanks for listening. We’re back tomorrow.