BMC Daily Cyber News

This is today’s cyber news for September 26, 2025. You can also listen on the go at daily cyber dot news. In the next fifteen minutes, the most compelling cyber stories, clearly explained.

Salesforce has spent weeks under scrutiny after a series of account takeovers and data theft incidents exposed weaknesses in connected apps, credential handling, and session management. Law enforcement has already warned about a wider surge in compromised cloud accounts, and attorneys are circling with potential lawsuits. What troubles security teams is how preventable much of this looks. Tighter IP allow lists, phishing-resistant multi-factor authentication, shorter session lifetimes, and stronger monitoring of API use would have blocked many of these moves. The reputational impact is heavy because Salesforce underpins sales, support, and even identity for thousands of organizations. A trust problem at that level ripples downstream. Expect more prescriptive guidance on OAuth scopes, connected apps, and token rotation, along with sharper audit tools from vendors. For now, inventory your integrations, revoke stale tokens, and enable export controls on reports and bulk APIs. Trust in the cloud is something you configure, not just a value statement.

Investigators are warning that a group known as U N C five two two one is embedding itself in network appliances that can’t run traditional endpoint detection. They’re installing updated Brickstorm backdoors on VPNs, firewalls, and other edge devices, buying themselves stealth and longevity. Many appliances lack proper logging or consistent patching, which makes this strategy effective. Early warning signs include unexplained configuration changes, unusual outbound connections, and odd processes that don’t belong. If you suspect compromise, assume the software image itself is tainted and plan to reimage from a golden build rather than rely on patching alone. Watch closely for credential replay against identity providers, since these footholds are often leveraged to pivot into single sign-on and administrator consoles. Keep management networks segmented, enforce phishing-resistant MFA for all admins, and collect netflow to spot beaconing. Once inside, these groups are likely to target code repositories and build systems as their next step.

Austria’s armed forces have completed a full migration from Microsoft Office to LibreOffice, citing digital sovereignty and control over telemetry instead of just cost savings. For defense and government, this is a security decision: fewer opaque cloud hooks, clearer licensing, and the option to harden or fork code when threat models require it. The move covers about sixteen thousand desktops and comes as Europe increasingly pushes to reduce dependence on single vendors for critical tools. The transition won’t be smooth—macro compatibility, document fidelity, and user training will remain ongoing pain points. But it highlights a growing trend: governments accepting operational friction in exchange for sovereignty and risk reduction. Expect tighter procurement standards on data residency, logging, and incident response in productivity software. Other agencies will watch closely to see if the long-term security benefits outweigh the short-term headaches.

The Co-operative Group in the U.K. has disclosed the financial damage from April’s attack. They reported eighty million pounds lost in operating profit and more than two hundred million pounds in revenue lost while systems were down. About twenty million pounds went to one-time response and recovery, and another sixty million to lost sales during downtime. The retailer expects an additional twenty million pounds in second-half impacts as remediation continues. These numbers show how long-tail costs outlast headlines, and how business interruption is often the most expensive consequence. For peers, it’s a reminder to practice the decision of shutting down versus isolating, to pre-write outage communications, and to have manual fallback plans ready. Insurance recovery can be constrained by exclusions and sublimits, so review those policies before you need them. Boards should measure time to restore critical systems as closely as they track patch cadence.

The U.S. Cybersecurity and Infrastructure Security Agency has issued an emergency directive telling federal agencies to secure Cisco firewalls against two zero-day flaws already being exploited. The bugs hit Adaptive Security Appliance and Firepower Threat Defense software, allowing remote code execution and unauthenticated access to restricted endpoints. In plain terms, internet-exposed VPN portals become wide-open doors. Agencies are being told to patch immediately, audit configs, rotate credentials, and look for signs of compromise like strange admin sessions or modified VPN settings. Private companies should act just as fast: restrict management interfaces, review crash and reboot logs, and plan for clean redeployments if compromise is suspected. Opportunistic scanning will spike as word spreads. Treat these like active incidents, not routine patch cycles.

Researchers from Infoblox, Guardio, and Confiant are shining a light on a threat actor they call Vane Viper. This group blends ad fraud and malware delivery, brokering traffic for cybercriminals while running its own campaigns. It hides behind shell companies and complex ownership structures and has generated over a trillion DNS queries to muddy its trail and evade blocklists. Its network spans malvertising, redirection chains, and malware droppers, supported by rapid domain churn. Defenders should lean on DNS behavior: look for huge query volumes, spikes in nonexistent domains, and fast-flux changes. Combine that with web controls like content security policies and script allow lists. Marketing teams should be part of this too—tighten your ad supply chain and cut out shady partners. The report shows just how closely adtech fraud and cybercrime now overlap.

A Vietnam-based group known as Lone None is using fake copyright takedown notices to spread an information-stealing trojan. The emails look like legal threats and link to so-called evidence files that actually deploy malware. Targets are site owners and content creators—people who may click under the stress of a legal dispute. Once installed, the malware hunts for browser data, stored credentials, and cryptocurrency wallets. The defenses are simple, but they’re often skipped under pressure. Verify notices through official channels, block executable archives at the email gateway, and sandbox attachments before opening. Train legal and communications teams to escalate through controlled workflows instead of reacting directly. Indicators will change, so rely on behavioral detection and reputation systems, not just static hashes.

Volvo North America has confirmed that employee personal data was exposed when its IT provider, Miljödata, suffered a ransomware attack in August. The incident also hit other well-known organizations, showing how broad the targeting was. It highlights the fragility of extended supply chains, where specialized vendors hold sensitive employee records and operational data. Immediate steps include notifying affected staff, offering credit monitoring, and making sure production systems remain segmented from HR and vendor portals. For other companies, it’s a reminder to revisit assumptions about vendor risk. Require strict reporting timelines, escrowed logs, immutable backups, and clear recovery commitments when outsourcing services that handle personal data. Map your data flows so you can disconnect integrations quickly if a supplier is compromised. Third-party risk is often the fastest path into your environment.