October 3, 2025 • 31 mins
This is the Friday Rollup for September 29th through October 3rd, 2025. It was a week of edge-device pressure, identity weak spots, and evolving email tradecraft. We cover Red Hat’s internal GitLab intrusion, Outlook’s move to block inline SVG lures, and a critical DrayTek router RCE. We track Allianz Life’s SSN breach and CERT-UA’s CABINETRAT via Excel XLLs, plus a broader pivot from Office macros to ZIP-packed LNK files. You’ll hear why a federal shutdown slowed CISA’s KEV cadence, how OpenShift AI, OpenSSL, and OneLogin issues landed, and where Windows 10’s October 14th end-of-life raises stakes. From DNS hijacks and Exchange espionage to Cisco exposure and a long-running VMware zero-day, the signals were clear.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
This is the Bare Metal Cyber Friday Rollup for September 29th through October 3rd, 2025, powered by DailyCyber.news. You can also listen on the go at daily cyber news dot com.
Red Hat disclosed that an internal GitLab instance was accessed by an attacker, and investigators are now digging into whether credential-embedded records or continuous integration artifacts exposed access tokens that could be reused elsewhere. Red Hat says its production builds and signed content weren’t touched, but teams are auditing repositories, rotating keys, and reviewing pipeline secrets to be safe. Customers care because any leaked cloud or registry tokens could enable supply-chain abuse against downstream environments where Red Hat content is integrated. This is a modern development problem (00:14):
lots of service accounts, long-lived tokens, and automation that keeps secrets near the code. Expect more detail as forensics firm up, including initial access and hardening steps. If your pipelines trust vendor artifacts, validate your own token hygiene now while this is top of mind.
(01:12):
Microsoft is changing Outlook’s default handling of inline S V G—scalable vector graphics—after a burst of credential phishing that hides scripts or smuggles payloads inside images. The new default blocks S V G content in message bodies, which cuts off a lure technique that sailed past filters tuned for Office docs and PDFs. It matters because HTML- and S V G-based social engineering renders cleanly in desktop and web clients, and some organizations previously allowed it for branded signatures. Attackers will pivot to other smuggling tricks, but this closes a popular path. You might hear user complaints about broken logos or signatures; route those to safe-sender solutions instead of creating broad allow lists. Admins should watch message trace and security alerts for policy impacts and adjust transport rules that quietly re-enable risky content.
(02:11):
A critical bug in DrayTek Vigor edge routers allows unauthenticated remote code execution—C V E twenty twenty-five dash ten five four seven—making exposed devices prime for mass compromise. These models are common in small and midsize businesses, so a successful exploit can hijack site-to-site tunnels, intercept traffic, or stage ransomware. Proof-of-concept paths often arrive quickly for router R C E, and botnets move fast to claim territory on the public internet. DrayTek has shipped updates and mitigations, and the highest risk sits where management interfaces are reachable from the WAN. ISPs and managed service providers should expect scanning spikes and opportunistic takeovers while patches roll out. Owners should verify whether remote administration is open and close it where possible, then monitor for unexpected reboots, config changes, or unknown V P N peers as signs of compromise.
(03:13):
Allianz Life notified regulators and consumers about a breach that exposed sensitive personal information, including Social Security numbers, while keeping core policy systems operating. The leak creates long-term identity risk for policyholders and beneficiaries, and it brings extended obligations for credit monitoring and state-level oversight. Adversaries love combining verified identity data with phishing, accelerating account takeover across banks, retirement platforms, and health portals. The company’s incident response now pivots to identity-protection support, breach notification compliance, and strengthening third-party oversight if a vendor was part of the chain. Watch for follow-up disclosures to clarify root cause, compromised datasets, and how long the intruder maintained access. If your organization handles similar data, tighten payout change controls and beneficiary edits with step-up verification and out-of-band checks, because the near-term fraud wave tends to hit fast after disclosures.
(04:16):
The Open S S L project pushed updates for several vulnerabilities across supported branches, the kind of parsing and memory management issues that can lead to denial-of-service or edge-case crashes but don’t rise to Heartbleed levels. Still, Open S S L is everywhere, so even moderate bugs ripple through appliances, proxies, container base images, and embedded systems. Distributions and vendors are publishing downstream packages, often with backports that change version numbers, which makes verification a little messy. Confirm whether your T L S termination points, client libraries, and application dependencies actually pick up the new builds. In containerized environments, a restart won’t help if the base image still carries the old library, so you need to rebuild and redeploy. Scanners will start checking banner versions, though version hiding can muddy that signal. Prioritize internet-facing services first, then work inward, and make sure your image pipelines bake in the patched libraries.
(05:21):
An implementation flaw in OneLogin’s OpenID Connect handling—C V E twenty twenty-five dash five nine three six three—exposed client credentials or configuration details that, under specific conditions, could be abused to mint tokens or impersonate relying parties. Identity providers sit at the center of access decisions, so even small weaknesses can cascade across connected software-as-a-service apps. The issue pushed many tenants to rotate secrets and re-register apps, then comb audit logs for odd token grants, silent consent flows, and unexpected redirect U R I usage. OneLogin issued updates and guidance, but enterprises still had to confirm every downstream application moved to rotated secrets and correct scopes. Integrators who hard-coded secrets in code or continuous-integration variables had extra cleanup. The actionable next step is to rotate all affected client secrets, validate redirect U R Is and scopes, and enable anomaly detection on consent and token issuance events across your tenant.
(06:34):
Microsoft’s extended support for most Windows 10 editions ends on October 14th, which means many machines stop receiving routine security updates. If you haven’t moved those endpoints to Windows 11 or enrolled them in paid Extended Security Updates, they become permanent soft targets for whatever exploit shows up next. Attackers time their kits to these moments and fold fresh Windows 10 vulnerabilities into phishing and crimeware bundles quickly. Legacy hardware, app compatibility, and tight budgets are the usual blockers, and shadow IT or remote sites often lag even more. Some security vendors already dialed back Windows 10 testing, so your defenses can get weaker as the OS ages. The practical play is to get a precise count of remaining Windows 10 devices, isolate or wrap the stragglers, and either migrate or buy ESU with a short, enforced retirement date.
(07:32):
A long-running espionage campaign attributed to Phantom Taurus targeted on-premises Microsoft Exchange servers using fileless techniques and living-off-the-land tools. They gained mailbox access, planted stealthy forwarding rules, and used PowerShell remoting to persist without dropping obvious binaries. Diplomatic missions, defense-adjacent groups, and NGOs were in the blast radius, and the operators moved slowly with off-hours tasking to blend into routine admin noise. Exchange is a high-privilege choke point, so mailbox content and credentials make it a perfect hub for collection and pivoting. Detections often started with unusual rules, odd EWS activity, or service accounts behaving like users. If you still run on-prem or hybrid mail, lock down management endpoints, enable mailbox auditing and rule-change alerts, and deploy endpoint telemetry tuned for PowerShell and EWS anomalies on the mail servers themselves.
(08:33):
Researchers detailed a privilege escalation flaw affecting multiple Linux distributions that attackers chained after initial access to jump from a basic foothold to full root. They used it after phishing, web shells, or misconfigured services to disable agents, scrape secrets, and move laterally. Containers and appliances weren’t safe if the host kernel carried the vulnerable code, and cloud images lagged patches, so autoscaled nodes kept coming up exposed until images were rebuilt. Forensics showed quick privilege jumps followed by credential dumping and log tampering, with some detections tied to unusual set U I D changes. The durable fix was kernel updates plus golden image rebuilds, which takes cross-team coordination. Make sure your alerts cover privilege escalations and the sudden appearance of set U I D binaries in user-writable paths.
C I S A added Adminer, Cisco, GoAnywhere, and Sudo issues to the Known Exploited Vulnerabilities catalog, which signals active abuse, not theoretical risk. Federal agencies face remediation deadlines, and many private organizations mirror those timelines because KEV entries shape scanner coverage and vendor advisories. The mix is telling (09:30):
Adminer and GoAnywhere keep biting because they handle sensitive data and automation, and Cisco entries emphasize the edge, while Sudo highlights evergreen Linux privilege paths. Teams often miss KEV updates during busy seasons or freezes. Treat KEV like a standing backlog
(10:22):
Western Digital My Cloud storage devices were hit by unauthenticated remote code execution and command injection bugs on exposed management interfaces. Small businesses and home offices rely on these boxes for backups and media, often placing them on flat networks with remote access features enabled. Once compromised, attackers browsed files, created backdoors, and sometimes folded devices into botnets. Scanning on the usual management ports spiked, and long uptimes plus weak monitoring meant many victims didn’t notice until ransomware or data loss. Firmware updates exist, but manual patching and forgotten appliances slow adoption. The practical move is to update firmware, turn off internet-facing management, and stick the device on a dedicated V L A N with tight egress.
(11:14):
Incident responders tied fast intrusions to Akira ransomware crews who used compromised credentials on SonicWall V P N portals, then moved laterally and encrypted quickly. Multi-factor authentication was present in some cases, but it was sidestepped by weak policies, session abuse, or exposed management paths. The playbook leaned on legitimate Windows tools for discovery and backup tampering, and victims often lacked centralized visibility on the V P N and identity planes. Post-mortems kept finding stale admin accounts and shared local passwords. Some organizations even uncovered dormant web shells from older break-ins. Recovery hinged on clean domain controllers and known-good backups. The fix is phishing-resistant M F A, tighter V P N auth flows, and watchlists for abnormal sign-ins and token reuse from the V P N segment.
(12:11):
Security teams saw a surge in credential phishing that embeds scripts inside S V G images, with large language models helping craft convincing lure text and obfuscated code. S V G renders cleanly across clients and can smuggle payloads or redirectors, and some mail systems allow it for branded signatures. Campaigns spoofed well-known brands with short subjects and minimal body text, and static scanners struggled with nested tags and polyglot tricks. On endpoints, tokens and passwords disappeared quickly after clicks. The tradeoff for administrators is visual fidelity versus safety—especially for signatures. The smart play is to block or sanitize inline S V G in email, train users on image-based lures, and inspect HTML and S V G for scripts and external references to shut down this path.
(13:09):
Threat actors pushed emails and landing pages dressed up as Ukrainian police notices, using embedded S V G files to deliver multi-stage payloads. The S V Gs loaded script that redirected users to downloaders, then fetched Amatera Stealer for credential and cookie theft or PureMiner for quiet crypto-mining. The lures were simple and believable—government logos and short warnings—and many gateways allowed S V G content, which helped the campaign slip through. Telemetry showed fast browser token theft and wallet targeting once the chain executed, and the operators rotated domains and shortened links to dodge block lists. Infections came from both personal devices and corporate laptops. The fix is to block inline S V G in email, sanitize HTML, and alert on browser token access plus outbound connections to newly registered domains.
Malvertising and search-poisoned pages impersonated Microsoft Teams downloads, serving signed-looking installers that dropped the Oyster remote-access trojan. The packages used believable filenames and versioning, then set persistence via scheduled tasks or registry keys and started beaconing for command execution, file grabs, and lateral movement using built-in tools. Targets skewed toward small firms and contractors hunting for “Teams offline installer.” Some environments trusted the path or signature wrapper, which let the fake installers run. Responders often found security agents disabled early and credentials dumped soon after. Cleanup meant removing persistence, rotating passwords, and revoking cloud sessions. The practical guidance is (14:10):
send users to vendor portals for software, block ad-based download clicks, and verify install hashes and publisher metadata before allowing execution.
(15:12):
Joint guidance from U S and U K authorities urged organizations to retire end-of-life Cisco A S A models and related firewalls, warning that unsupported edge devices sitting on the public internet are a permanent risk. Investigations tied intrusions to old code trains, weak management policies, and unmonitored changes, and even patched units sometimes carried residual implants or modified access lists. Network teams often defer replacements because of uptime pressure and migration complexity, but the edge concentrates identity, V P N, and inspection, so the stakes are high. Out-of-band management interfaces reachable from untrusted networks made matters worse. The move now is to inventory every perimeter device, schedule replacements for E O L gear, and enforce centralized configuration monitoring with alerts on firmware, A C L, and admin account changes.
Moldova reported online disruptions aimed at election-related services, with traffic floods and targeted probes degrading availability for voter-facing portals and info sites. There wasn’t evidence of ballot manipulation, but the pattern matched global playbooks (16:09):
noisy denial-of-service mixed with selective defacement attempts. Officials worked with providers to filter traffic and restore capacity, while attribution stayed murky amid bot traffic sourced across multiple countries. The larger point is that civic trust can be shaken without touching core voting equipment, and many municipalities lack standing D D o S contracts and public-communication plans. The actionable step is to pre-contract mitigation with failover, publish static status mirrors, and rehearse election-week incident communication with providers and law enforcement.
(17:04):
Google’s threat intel team exposed BRICKSTORM, a modular backdoor aimed at firms that hold sensitive legal and technology data, with initial access ranging from malvertising and spear-phishing to exploited web apps. After a staged loader, encrypted modules arrived for file collection and credential access, and operators favored off-hours tasking with cloud-sync abuse to blend exfiltration into normal traffic. Law firms and business-process outsourcers were prime targets because they aggregate client records and merger data. Endpoint hints included odd command interpreters launched by signed-but-abused utilities, while cloud logs showed anomalous OAuth grants and legacy I M A P-style access. Response meant both host cleanup and SaaS token revocation. Hunt for persistence via scheduled tasks and strange parent-child processes, revoke risky OAuth grants, and turn on conditional access rules that restrict legacy protocols and foreign sign-ins.
(18:09):
Attackers bought search ads and poisoned S E O around “TradingView Premium,” luring finance-curious users into downloading a lookalike installer that dropped an info-stealing trojan. The fake build presented a believable interface, then set persistence and started grabbing browser data while quietly weakening local protections. Victims skewed toward small investment shops and retail traders who keep exchange A P I keys and wallet info on personal machines. The payload targeted cookies, wallets, and two-factor backup files and rotated domains and code-signing certs to outrun takedowns. Enterprises sometimes felt secondary exposure when infected home systems accessed corporate SaaS. Cleanup required browser profile resets and rotating secrets across exchanges and brokers. The practical move is to block search-ad clicks for downloads, pin vendor portals, and monitor for finance tool installers launching from temp and downloads directories.
(19:14):
Organizations hit an outage where some externally encrypted emails failed to deliver or display correctly in Outlook after a service-side change, disrupting legal, healthcare, and cross-tenant communications. Admins burned time chasing false D L P and spam leads before Microsoft acknowledged the issue and rolled out mitigations, including client refresh guidance and transport rule adjustments. The incident underscores how fragile protected mail can be when it crosses multiple identity providers and ecosystems. Some firms fell back to secure portals, while others temporarily used plaintext plus out-of-band keys during triage. Postmortems pointed to the need for dependency mapping for critical processes like legal holds and claims adjudication. Document and test fallback channels for protected communications, monitor message trace for protection failures, and pin mission-critical workflows to redundant, well-rehearsed secure-delivery methods.
(20:15):
That’s the Bare Metal Cyber Friday Rollup for September 29th through October 3rd, 2025. For more, visit BareMetalCyber dot com, and listen daily at daily cyber news dot com. Thanks for listening. We’re back Monday.
This is the Bare Metal Cyber Friday Rollup for September 29th through October 3rd, 2025, powered by DailyCyber.news. You can also listen on the go at daily cyber news dot com.
Red Hat disclosed that an internal GitLab instance was accessed by an attacker, and investigators are now digging into whether credential-embedded records or continuous integration artifacts exposed access tokens that could be reused elsewhere. Red Hat says its production builds and signed content weren’t touched, but teams are auditing repositories, rotating keys, and reviewing pipeline secrets to be safe. Customers care because any leaked cloud or registry tokens could enable supply-chain abuse against downstream environments where Red Hat content is integrated. This is a modern development problem (00:14):
lots of service accounts, long-lived tokens, and automation that keeps secrets near the code. Expect more detail as forensics firm up, including initial access and hardening steps. If your pipelines trust vendor artifacts, validate your own token hygiene now while this is top of mind.
(01:12):
Microsoft is changing Outlook’s default handling of inline S V G—scalable vector graphics—after a burst of credential phishing that hides scripts or smuggles payloads inside images. The new default blocks S V G content in message bodies, which cuts off a lure technique that sailed past filters tuned for Office docs and PDFs. It matters because HTML- and S V G-based social engineering renders cleanly in desktop and web clients, and some organizations previously allowed it for branded signatures. Attackers will pivot to other smuggling tricks, but this closes a popular path. You might hear user complaints about broken logos or signatures; route those to safe-sender solutions instead of creating broad allow lists. Admins should watch message trace and security alerts for policy impacts and adjust transport rules that quietly re-enable risky content.
(02:11):
A critical bug in DrayTek Vigor edge routers allows unauthenticated remote code execution—C V E twenty twenty-five dash ten five four seven—making exposed devices prime for mass compromise. These models are common in small and midsize businesses, so a successful exploit can hijack site-to-site tunnels, intercept traffic, or stage ransomware. Proof-of-concept paths often arrive quickly for router R C E, and botnets move fast to claim territory on the public internet. DrayTek has shipped updates and mitigations, and the highest risk sits where management interfaces are reachable from the WAN. ISPs and managed service providers should expect scanning spikes and opportunistic takeovers while patches roll out. Owners should verify whether remote administration is open and close it where possible, then monitor for unexpected reboots, config changes, or unknown V P N peers as signs of compromise.
(03:13):
Allianz Life notified regulators and consumers about a breach that exposed sensitive personal information, including Social Security numbers, while keeping core policy systems operating. The leak creates long-term identity risk for policyholders and beneficiaries, and it brings extended obligations for credit monitoring and state-level oversight. Adversaries love combining verified identity data with phishing, accelerating account takeover across banks, retirement platforms, and health portals. The company’s incident response now pivots to identity-protection support, breach notification compliance, and strengthening third-party oversight if a vendor was part of the chain. Watch for follow-up disclosures to clarify root cause, compromised datasets, and how long the intruder maintained access. If your organization handles similar data, tighten payout change controls and beneficiary edits with step-up verification and out-of-band checks, because the near-term fraud wave tends to hit fast after disclosures.
(04:16):
The Open S S L project pushed updates for several vulnerabilities across supported branches, the kind of parsing and memory management issues that can lead to denial-of-service or edge-case crashes but don’t rise to Heartbleed levels. Still, Open S S L is everywhere, so even moderate bugs ripple through appliances, proxies, container base images, and embedded systems. Distributions and vendors are publishing downstream packages, often with backports that change version numbers, which makes verification a little messy. Confirm whether your T L S termination points, client libraries, and application dependencies actually pick up the new builds. In containerized environments, a restart won’t help if the base image still carries the old library, so you need to rebuild and redeploy. Scanners will start checking banner versions, though version hiding can muddy that signal. Prioritize internet-facing services first, then work inward, and make sure your image pipelines bake in the patched libraries.
(05:21):
An implementation flaw in OneLogin’s OpenID Connect handling—C V E twenty twenty-five dash five nine three six three—exposed client credentials or configuration details that, under specific conditions, could be abused to mint tokens or impersonate relying parties. Identity providers sit at the center of access decisions, so even small weaknesses can cascade across connected software-as-a-service apps. The issue pushed many tenants to rotate secrets and re-register apps, then comb audit logs for odd token grants, silent consent flows, and unexpected redirect U R I usage. OneLogin issued updates and guidance, but enterprises still had to confirm every downstream application moved to rotated secrets and correct scopes. Integrators who hard-coded secrets in code or continuous-integration variables had extra cleanup. The actionable next step is to rotate all affected client secrets, validate redirect U R Is and scopes, and enable anomaly detection on consent and token issuance events across your tenant.
(06:34):
Microsoft’s extended support for most Windows 10 editions ends on October 14th, which means many machines stop receiving routine security updates. If you haven’t moved those endpoints to Windows 11 or enrolled them in paid Extended Security Updates, they become permanent soft targets for whatever exploit shows up next. Attackers time their kits to these moments and fold fresh Windows 10 vulnerabilities into phishing and crimeware bundles quickly. Legacy hardware, app compatibility, and tight budgets are the usual blockers, and shadow IT or remote sites often lag even more. Some security vendors already dialed back Windows 10 testing, so your defenses can get weaker as the OS ages. The practical play is to get a precise count of remaining Windows 10 devices, isolate or wrap the stragglers, and either migrate or buy ESU with a short, enforced retirement date.
(07:32):
A long-running espionage campaign attributed to Phantom Taurus targeted on-premises Microsoft Exchange servers using fileless techniques and living-off-the-land tools. They gained mailbox access, planted stealthy forwarding rules, and used PowerShell remoting to persist without dropping obvious binaries. Diplomatic missions, defense-adjacent groups, and NGOs were in the blast radius, and the operators moved slowly with off-hours tasking to blend into routine admin noise. Exchange is a high-privilege choke point, so mailbox content and credentials make it a perfect hub for collection and pivoting. Detections often started with unusual rules, odd EWS activity, or service accounts behaving like users. If you still run on-prem or hybrid mail, lock down management endpoints, enable mailbox auditing and rule-change alerts, and deploy endpoint telemetry tuned for PowerShell and EWS anomalies on the mail servers themselves.
(08:33):
Researchers detailed a privilege escalation flaw affecting multiple Linux distributions that attackers chained after initial access to jump from a basic foothold to full root. They used it after phishing, web shells, or misconfigured services to disable agents, scrape secrets, and move laterally. Containers and appliances weren’t safe if the host kernel carried the vulnerable code, and cloud images lagged patches, so autoscaled nodes kept coming up exposed until images were rebuilt. Forensics showed quick privilege jumps followed by credential dumping and log tampering, with some detections tied to unusual set U I D changes. The durable fix was kernel updates plus golden image rebuilds, which takes cross-team coordination. Make sure your alerts cover privilege escalations and the sudden appearance of set U I D binaries in user-writable paths.
C I S A added Adminer, Cisco, GoAnywhere, and Sudo issues to the Known Exploited Vulnerabilities catalog, which signals active abuse, not theoretical risk. Federal agencies face remediation deadlines, and many private organizations mirror those timelines because KEV entries shape scanner coverage and vendor advisories. The mix is telling (09:30):
Adminer and GoAnywhere keep biting because they handle sensitive data and automation, and Cisco entries emphasize the edge, while Sudo highlights evergreen Linux privilege paths. Teams often miss KEV updates during busy seasons or freezes. Treat KEV like a standing backlog
(10:22):
Western Digital My Cloud storage devices were hit by unauthenticated remote code execution and command injection bugs on exposed management interfaces. Small businesses and home offices rely on these boxes for backups and media, often placing them on flat networks with remote access features enabled. Once compromised, attackers browsed files, created backdoors, and sometimes folded devices into botnets. Scanning on the usual management ports spiked, and long uptimes plus weak monitoring meant many victims didn’t notice until ransomware or data loss. Firmware updates exist, but manual patching and forgotten appliances slow adoption. The practical move is to update firmware, turn off internet-facing management, and stick the device on a dedicated V L A N with tight egress.
(11:14):
Incident responders tied fast intrusions to Akira ransomware crews who used compromised credentials on SonicWall V P N portals, then moved laterally and encrypted quickly. Multi-factor authentication was present in some cases, but it was sidestepped by weak policies, session abuse, or exposed management paths. The playbook leaned on legitimate Windows tools for discovery and backup tampering, and victims often lacked centralized visibility on the V P N and identity planes. Post-mortems kept finding stale admin accounts and shared local passwords. Some organizations even uncovered dormant web shells from older break-ins. Recovery hinged on clean domain controllers and known-good backups. The fix is phishing-resistant M F A, tighter V P N auth flows, and watchlists for abnormal sign-ins and token reuse from the V P N segment.
(12:11):
Security teams saw a surge in credential phishing that embeds scripts inside S V G images, with large language models helping craft convincing lure text and obfuscated code. S V G renders cleanly across clients and can smuggle payloads or redirectors, and some mail systems allow it for branded signatures. Campaigns spoofed well-known brands with short subjects and minimal body text, and static scanners struggled with nested tags and polyglot tricks. On endpoints, tokens and passwords disappeared quickly after clicks. The tradeoff for administrators is visual fidelity versus safety—especially for signatures. The smart play is to block or sanitize inline S V G in email, train users on image-based lures, and inspect HTML and S V G for scripts and external references to shut down this path.
(13:09):
Threat actors pushed emails and landing pages dressed up as Ukrainian police notices, using embedded S V G files to deliver multi-stage payloads. The S V Gs loaded script that redirected users to downloaders, then fetched Amatera Stealer for credential and cookie theft or PureMiner for quiet crypto-mining. The lures were simple and believable—government logos and short warnings—and many gateways allowed S V G content, which helped the campaign slip through. Telemetry showed fast browser token theft and wallet targeting once the chain executed, and the operators rotated domains and shortened links to dodge block lists. Infections came from both personal devices and corporate laptops. The fix is to block inline S V G in email, sanitize HTML, and alert on browser token access plus outbound connections to newly registered domains.
Malvertising and search-poisoned pages impersonated Microsoft Teams downloads, serving signed-looking installers that dropped the Oyster remote-access trojan. The packages used believable filenames and versioning, then set persistence via scheduled tasks or registry keys and started beaconing for command execution, file grabs, and lateral movement using built-in tools. Targets skewed toward small firms and contractors hunting for “Teams offline installer.” Some environments trusted the path or signature wrapper, which let the fake installers run. Responders often found security agents disabled early and credentials dumped soon after. Cleanup meant removing persistence, rotating passwords, and revoking cloud sessions. The practical guidance is (14:10):
send users to vendor portals for software, block ad-based download clicks, and verify install hashes and publisher metadata before allowing execution.
(15:12):
Joint guidance from U S and U K authorities urged organizations to retire end-of-life Cisco A S A models and related firewalls, warning that unsupported edge devices sitting on the public internet are a permanent risk. Investigations tied intrusions to old code trains, weak management policies, and unmonitored changes, and even patched units sometimes carried residual implants or modified access lists. Network teams often defer replacements because of uptime pressure and migration complexity, but the edge concentrates identity, V P N, and inspection, so the stakes are high. Out-of-band management interfaces reachable from untrusted networks made matters worse. The move now is to inventory every perimeter device, schedule replacements for E O L gear, and enforce centralized configuration monitoring with alerts on firmware, A C L, and admin account changes.
Moldova reported online disruptions aimed at election-related services, with traffic floods and targeted probes degrading availability for voter-facing portals and info sites. There wasn’t evidence of ballot manipulation, but the pattern matched global playbooks (16:09):
noisy denial-of-service mixed with selective defacement attempts. Officials worked with providers to filter traffic and restore capacity, while attribution stayed murky amid bot traffic sourced across multiple countries. The larger point is that civic trust can be shaken without touching core voting equipment, and many municipalities lack standing D D o S contracts and public-communication plans. The actionable step is to pre-contract mitigation with failover, publish static status mirrors, and rehearse election-week incident communication with providers and law enforcement.
(17:04):
Google’s threat intel team exposed BRICKSTORM, a modular backdoor aimed at firms that hold sensitive legal and technology data, with initial access ranging from malvertising and spear-phishing to exploited web apps. After a staged loader, encrypted modules arrived for file collection and credential access, and operators favored off-hours tasking with cloud-sync abuse to blend exfiltration into normal traffic. Law firms and business-process outsourcers were prime targets because they aggregate client records and merger data. Endpoint hints included odd command interpreters launched by signed-but-abused utilities, while cloud logs showed anomalous OAuth grants and legacy I M A P-style access. Response meant both host cleanup and SaaS token revocation. Hunt for persistence via scheduled tasks and strange parent-child processes, revoke risky OAuth grants, and turn on conditional access rules that restrict legacy protocols and foreign sign-ins.
(18:09):
Attackers bought search ads and poisoned S E O around “TradingView Premium,” luring finance-curious users into downloading a lookalike installer that dropped an info-stealing trojan. The fake build presented a believable interface, then set persistence and started grabbing browser data while quietly weakening local protections. Victims skewed toward small investment shops and retail traders who keep exchange A P I keys and wallet info on personal machines. The payload targeted cookies, wallets, and two-factor backup files and rotated domains and code-signing certs to outrun takedowns. Enterprises sometimes felt secondary exposure when infected home systems accessed corporate SaaS. Cleanup required browser profile resets and rotating secrets across exchanges and brokers. The practical move is to block search-ad clicks for downloads, pin vendor portals, and monitor for finance tool installers launching from temp and downloads directories.
(19:14):
Organizations hit an outage where some externally encrypted emails failed to deliver or display correctly in Outlook after a service-side change, disrupting legal, healthcare, and cross-tenant communications. Admins burned time chasing false D L P and spam leads before Microsoft acknowledged the issue and rolled out mitigations, including client refresh guidance and transport rule adjustments. The incident underscores how fragile protected mail can be when it crosses multiple identity providers and ecosystems. Some firms fell back to secure portals, while others temporarily used plaintext plus out-of-band keys during triage. Postmortems pointed to the need for dependency mapping for critical processes like legal holds and claims adjudication. Document and test fallback channels for protected communications, monitor message trace for protection failures, and pin mission-critical workflows to redundant, well-rehearsed secure-delivery methods.
(20:15):
That’s the Bare Metal Cyber Friday Rollup for September 29th through October 3rd, 2025. For more, visit BareMetalCyber dot com, and listen daily at daily cyber news dot com. Thanks for listening. We’re back Monday.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
CrimeLess: Hillbilly Heist
It’s 1996 in rural North Carolina, and an oddball crew makes history when they pull off America’s third largest cash heist. But it’s all downhill from there. Join host Johnny Knoxville as he unspools a wild and woolly tale about a group of regular ‘ol folks who risked it all for a chance at a better life. CrimeLess: Hillbilly Heist answers the question: what would you do with 17.3 million dollars? The answer includes diamond rings, mansions, velvet Elvis paintings, plus a run for the border, murder-for-hire-plots, and FBI busts.