October 10, 2025 • 21 mins
This is today’s cyber news for October 10th, 2025. Today’s brief leads with SonicWall confirming its cloud firewall backups were accessed for all users of its backup service—turning configuration data into a roadmap for attackers. We also cover an actively exploited WordPress authentication bypass, an Android spyware family impersonating WhatsApp and TikTok, and Microsoft 365 disruptions tied to an Azure Front Door issue. Rounding out the first half: university “payroll pirate” attacks that reroute salaries via compromised HR accounts.
You’ll also hear how a new botnet shotguns 50+ n-day bugs, why ransomware crews are abusing the Velociraptor DFIR tool, Discord’s clarification on a third-party support breach of 70,000 ID photos, malvertising that drops the “Oyster” backdoor via fake Teams installers, and a ClickFix variant using cache smuggling. We finish with a polymorphic Python RAT, a faster “Chaos-C++” ransomware strain, signs that Warlock ransomware may have state ties, QR-based quishing, risky AI browsers with OAuth exposure, a Defender bug mislabeling SQL Server as EOL, a claimed KFC Venezuela data sale, and the big SaaS lesson: token hygiene. Available at DailyCyber.news.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
This is today’s cyber news for October 10th, 2025. You can also subscribe to the newsletter and view the archive of previous headlines at daily cyber dot news.
What happened (00:12):
SonicWall confirmed that threat actors accessed backups for all customers using its cloud firewall backup service, not just a small subset. Those backups can include device configurations, network objects, rules, and sometimes credentials or tokens that enable lateral movement. The company says it revoked exposed tokens, rotated keys, and is notifying affected customers with remediation steps. There’s no sign that on-prem firewall firmware was trojanized, but configuration intel alone can fuel precise follow-on attacks. Investigations and forced resets are ongoing.
What this means (00:52):
Configuration data is a blueprint for your network and a shortcut to privilege escalation. Organizations using the cloud backup should assume attackers know policy gaps, exposed services, and trust relationships. For leaders
Recommendation (01:36):
Immediately rotate credentials and tokens tied to SonicWall devices, re-generate backups, and implement strict change monitoring on firewall policies.
Patch or remove the vulnerable plugin immediately; if you can’t, disable it, block write access to W P content, and monitor for rogue admins and file changes.
What happened (02:01):
Researchers tracked an Android spyware family called “ClayRat” that masquerades as popular apps like WhatsApp and TikTok. Distribution relies on look-alike websites, Telegram channels, and sideloaded A P K files seeded through social media. The malware requests broad permissions, exfiltrates messages and media, and can persist across reboots while updating modules from command servers. More than six hundred samples and dozens of droppers indicate an ongoing, adaptable campaign focused on Russian-speaking users but portable to other regions.
What this means (02:37):
Consumer and bring-your-own-device phones are at risk, and any corporate chat data synced to those devices is in scope. Enterprises with relaxed sideloading policies or unmanaged Android fleets face exposure through shadow communications apps. For leaders
Recommendation (03:24):
Block sideloading for corporate access, require managed store installs, and quarantine devices with risky permissions until re-imaged.
What happened (03:39):
A capacity problem in Azure Front Door, Microsoft’s global content delivery and application acceleration service, cascaded into Microsoft 365 administration and portal access issues. Impact varied by region, with admins unable to reach management consoles or seeing elevated error rates. Microsoft deployed mitigations to re-balance capacity and restore service while monitoring for recurrences. No data loss is indicated, but service reliability concerns remain.
What this means (04:16):
Front Door is a critical dependency for identity, admin, and user-facing SaaS experiences. Outages at this layer translate into operational blind spots for I T teams and delayed incident response. For leaders
Recommendation (04:57):
Map your dependencies on Azure Front Door, establish out-of-band admin procedures, and test continuity plans for identity and SaaS management.
What this means (05:10):
SaaS H R platforms and self-service payroll portals are high-value targets with immediate financial impact. Decentralized university I T and federated identity models increase attack surface. For leaders
Recommendation (05:49):
Enforce phishing-resistant M F A and step-up verification for any payroll or bank-account change, with real-time alerts to both H R and the employee.
What happened (06:02):
A fast-moving botnet dubbed RondoDox is exploiting dozens of already-known—so-called “n-day”—vulnerabilities in parallel against internet-facing devices. Targets include DVRs, CCTV systems, small-business routers, and popular web servers, giving the operator reach from home offices to midsize enterprises. The campaign rotates exploits aggressively, which makes simple signature blocking ineffective and helps the botnet survive takedowns. Researchers also observed rapid re-scanning after reboots or patch attempts, indicating automation and resilient infrastructure.
What this means (06:37):
Mass exploitation of known bugs remains the biggest risk for edge gear and neglected servers. Any organization with unmanaged IoT, outdated firmware, or slow patch cycles presents easy entry for DDoS or lateral movement. For leaders
Recommendation (07:15):
Eliminate exposed outdated devices, patch the rest on a fixed cadence, and geo-rate-limit or block management services from the open internet.
What happened (07:29):
Multiple investigations show ransomware affiliates using Velociraptor—an open-source digital forensics and incident response tool—to gain remote visibility, hunt data, and stage payloads. The tool’s legitimate capabilities—live collection, artifact queries, and lateral movement helpers—make it attractive for stealthy pre-encryption activity. Adversaries pair it with commodity loaders and living-off-the-land techniques to persist and exfiltrate quietly. This trend blurs the line between blue-team utilities and red-team tradecraft.
What this means (08:11):
Dual-use tools reduce attacker costs and complicate detection because they resemble sanctioned admin activity. Endpoint policies that allow Velociraptor for responders may also allow adversaries to blend in. For leaders
Recommendation (08:53):
Restrict, sign, and monitor DFIR tools; if you don’t actively use Velociraptor, block execution organization-wide and alert on installation attempts.
What happened (09:06):
Discord clarified that an earlier extortion claim overstated the scale of a breach tied to support workflows. About seventy thousand government ID images used for account verification were exposed via a third-party support system, not millions of full user accounts. Discord invalidated exposed tokens, is notifying affected users, and says core production systems were not compromised. The incident still places sensitive identity documents at risk for reuse and fraud.
What this means (09:44):
Even limited exposure of identity documents creates long-tail risk for impersonation and account takeovers. Organizations that rely on Discord for communities or developer support should consider how trust-and-safety processes intersect with third-party vendors. For leaders
Recommendation (10:26):
Require step-up authentication for any account recovery or verification change and audit third-party support tools holding sensitive documents.
What happened (10:41):
Attackers are luring users with spoofed Microsoft Teams installers delivered through search ads and SEO-poisoned pages. The payload chain ultimately installs a persistent backdoor researchers call “Oyster,” which harvests credentials, profiles browsers, and enables command execution. The campaign targets both home users and small enterprises that allow self-service software installs. Signed loaders and look-alike domains help the operation bypass casual scrutiny.
What this means (11:15):
Software download trust is drifting from vendor stores to search results, and that’s exploitable. Any device allowed to install apps without a catalog or packaging control is fair game. For leaders
Recommendation (11:59):
Lock software installs to a managed catalog, block ad-driven download domains, and quarantine any host that installed Teams outside your official channel.
What happened (12:11):
Researchers detailed a fresh variant of the ClickFix social-engineering technique that now abuses cache smuggling to deliver payloads without obvious download prompts. The lure—often framed as a “fix” for a security warning—drives the browser to cache a malicious file that later executes via a crafted link or user gesture. By splitting delivery and execution, the actors sidestep traditional content filters and many endpoint alerts. The technique has been seen alongside impersonation of well-known security brands.
What this means (12:46):
Web security controls that rely on visible downloads or URL reputation can be bypassed when payloads ride through caching layers. Enterprises with lax browser hardening and permissive handler associations are most exposed. For leaders
Recommendation (13:23):
Harden managed browsers, disable risky protocol handlers, and block execution from browser cache locations while tightening isolation for untrusted browsing.
What happened (13:36):
Microsoft Defender for Endpoint briefly flagged supported SQL Server twenty seventeen and twenty nineteen as end-of-life, triggering noisy compliance alerts and ticket storms. The issue came from an asset intelligence bug that misread product lifecycle data and pushed the wrong status to dashboards and A P I s. Microsoft acknowledged the error, shipped a service-side fix, and said no actual support status changed for those versions. Still, many organizations had automated workflows that opened incidents, escalated to leadership, or triggered remediation playbooks.
What this means (14:13):
When your telemetry is wrong, your priorities follow it. False E O L signals can divert teams from real risks, overwhelm analysts, and damage credibility with business stakeholders. For leaders
Recommendation (14:54):
Validate asset lifecycle data against an authoritative source before auto-remediation; temporarily suppress the misfire while manually watching true E O L systems.
What happened (15:08):
A threat actor advertised a four hundred five megabyte database allegedly containing over one million customer and order records from K F C’s Venezuela operation. Samples shared in criminal forums appear to include names, contact details, order metadata, and limited payment-related fields—not full card numbers. The seller claims recent extraction, though independent verification remains mixed. Local customers reported credential-stuffing attempts shortly after the listing, suggesting some data elements are valid enough for targeted phishing.
What this means (15:49):
Regional brands with fragmented I T can become soft targets, and attackers monetize even partial data sets. Retail and food-service operators face reputational damage, fraud costs, and compliance scrutiny if customer data is exposed. For leaders
Recommendation (16:34):
Initiate forced resets on exposed accounts, tighten anti-fraud checks on high-risk orders, and coordinate a unified customer notice with clear phishing guidance.
What happened (16:49):
New analyses of recent SaaS compromises show attackers often skip passwords by abusing OAuth tokens, A P I keys, and long-lived session cookies. Stolen tokens come from infostealers, build logs, misconfigured repos, or over-permissive integrations, and they’re traded in private channels. Because tokens can outlive password resets and M F A, adversaries maintain silent access until scopes are rotated or revoked. Many organizations still lack inventory, rotation policies, or centralized visibility for these credentials.
Recommendation (17:28):
Set a ninety-day maximum lifetime for tokens, enforce admin consent and least-privilege scopes, and auto-revoke on device or geo anomalies.
That’s the BareMetalCyber Daily Brief for October 10th, 2025. For more, visit BareMetalCyber dot com. You can also subscribe to the newsletter and view the archive of previous headlines at daily cyber dot news. We’re back Monday!
This is today’s cyber news for October 10th, 2025. You can also subscribe to the newsletter and view the archive of previous headlines at daily cyber dot news.
What happened (00:12):
SonicWall confirmed that threat actors accessed backups for all customers using its cloud firewall backup service, not just a small subset. Those backups can include device configurations, network objects, rules, and sometimes credentials or tokens that enable lateral movement. The company says it revoked exposed tokens, rotated keys, and is notifying affected customers with remediation steps. There’s no sign that on-prem firewall firmware was trojanized, but configuration intel alone can fuel precise follow-on attacks. Investigations and forced resets are ongoing.
What this means (00:52):
Configuration data is a blueprint for your network and a shortcut to privilege escalation. Organizations using the cloud backup should assume attackers know policy gaps, exposed services, and trust relationships. For leaders
Recommendation (01:36):
Immediately rotate credentials and tokens tied to SonicWall devices, re-generate backups, and implement strict change monitoring on firewall policies.
Patch or remove the vulnerable plugin immediately; if you can’t, disable it, block write access to W P content, and monitor for rogue admins and file changes.
What happened (02:01):
Researchers tracked an Android spyware family called “ClayRat” that masquerades as popular apps like WhatsApp and TikTok. Distribution relies on look-alike websites, Telegram channels, and sideloaded A P K files seeded through social media. The malware requests broad permissions, exfiltrates messages and media, and can persist across reboots while updating modules from command servers. More than six hundred samples and dozens of droppers indicate an ongoing, adaptable campaign focused on Russian-speaking users but portable to other regions.
What this means (02:37):
Consumer and bring-your-own-device phones are at risk, and any corporate chat data synced to those devices is in scope. Enterprises with relaxed sideloading policies or unmanaged Android fleets face exposure through shadow communications apps. For leaders
Recommendation (03:24):
Block sideloading for corporate access, require managed store installs, and quarantine devices with risky permissions until re-imaged.
What happened (03:39):
A capacity problem in Azure Front Door, Microsoft’s global content delivery and application acceleration service, cascaded into Microsoft 365 administration and portal access issues. Impact varied by region, with admins unable to reach management consoles or seeing elevated error rates. Microsoft deployed mitigations to re-balance capacity and restore service while monitoring for recurrences. No data loss is indicated, but service reliability concerns remain.
What this means (04:16):
Front Door is a critical dependency for identity, admin, and user-facing SaaS experiences. Outages at this layer translate into operational blind spots for I T teams and delayed incident response. For leaders
Recommendation (04:57):
Map your dependencies on Azure Front Door, establish out-of-band admin procedures, and test continuity plans for identity and SaaS management.
What this means (05:10):
SaaS H R platforms and self-service payroll portals are high-value targets with immediate financial impact. Decentralized university I T and federated identity models increase attack surface. For leaders
Recommendation (05:49):
Enforce phishing-resistant M F A and step-up verification for any payroll or bank-account change, with real-time alerts to both H R and the employee.
What happened (06:02):
A fast-moving botnet dubbed RondoDox is exploiting dozens of already-known—so-called “n-day”—vulnerabilities in parallel against internet-facing devices. Targets include DVRs, CCTV systems, small-business routers, and popular web servers, giving the operator reach from home offices to midsize enterprises. The campaign rotates exploits aggressively, which makes simple signature blocking ineffective and helps the botnet survive takedowns. Researchers also observed rapid re-scanning after reboots or patch attempts, indicating automation and resilient infrastructure.
What this means (06:37):
Mass exploitation of known bugs remains the biggest risk for edge gear and neglected servers. Any organization with unmanaged IoT, outdated firmware, or slow patch cycles presents easy entry for DDoS or lateral movement. For leaders
Recommendation (07:15):
Eliminate exposed outdated devices, patch the rest on a fixed cadence, and geo-rate-limit or block management services from the open internet.
What happened (07:29):
Multiple investigations show ransomware affiliates using Velociraptor—an open-source digital forensics and incident response tool—to gain remote visibility, hunt data, and stage payloads. The tool’s legitimate capabilities—live collection, artifact queries, and lateral movement helpers—make it attractive for stealthy pre-encryption activity. Adversaries pair it with commodity loaders and living-off-the-land techniques to persist and exfiltrate quietly. This trend blurs the line between blue-team utilities and red-team tradecraft.
What this means (08:11):
Dual-use tools reduce attacker costs and complicate detection because they resemble sanctioned admin activity. Endpoint policies that allow Velociraptor for responders may also allow adversaries to blend in. For leaders
Recommendation (08:53):
Restrict, sign, and monitor DFIR tools; if you don’t actively use Velociraptor, block execution organization-wide and alert on installation attempts.
What happened (09:06):
Discord clarified that an earlier extortion claim overstated the scale of a breach tied to support workflows. About seventy thousand government ID images used for account verification were exposed via a third-party support system, not millions of full user accounts. Discord invalidated exposed tokens, is notifying affected users, and says core production systems were not compromised. The incident still places sensitive identity documents at risk for reuse and fraud.
What this means (09:44):
Even limited exposure of identity documents creates long-tail risk for impersonation and account takeovers. Organizations that rely on Discord for communities or developer support should consider how trust-and-safety processes intersect with third-party vendors. For leaders
Recommendation (10:26):
Require step-up authentication for any account recovery or verification change and audit third-party support tools holding sensitive documents.
What happened (10:41):
Attackers are luring users with spoofed Microsoft Teams installers delivered through search ads and SEO-poisoned pages. The payload chain ultimately installs a persistent backdoor researchers call “Oyster,” which harvests credentials, profiles browsers, and enables command execution. The campaign targets both home users and small enterprises that allow self-service software installs. Signed loaders and look-alike domains help the operation bypass casual scrutiny.
What this means (11:15):
Software download trust is drifting from vendor stores to search results, and that’s exploitable. Any device allowed to install apps without a catalog or packaging control is fair game. For leaders
Recommendation (11:59):
Lock software installs to a managed catalog, block ad-driven download domains, and quarantine any host that installed Teams outside your official channel.
What happened (12:11):
Researchers detailed a fresh variant of the ClickFix social-engineering technique that now abuses cache smuggling to deliver payloads without obvious download prompts. The lure—often framed as a “fix” for a security warning—drives the browser to cache a malicious file that later executes via a crafted link or user gesture. By splitting delivery and execution, the actors sidestep traditional content filters and many endpoint alerts. The technique has been seen alongside impersonation of well-known security brands.
What this means (12:46):
Web security controls that rely on visible downloads or URL reputation can be bypassed when payloads ride through caching layers. Enterprises with lax browser hardening and permissive handler associations are most exposed. For leaders
Recommendation (13:23):
Harden managed browsers, disable risky protocol handlers, and block execution from browser cache locations while tightening isolation for untrusted browsing.
What happened (13:36):
Microsoft Defender for Endpoint briefly flagged supported SQL Server twenty seventeen and twenty nineteen as end-of-life, triggering noisy compliance alerts and ticket storms. The issue came from an asset intelligence bug that misread product lifecycle data and pushed the wrong status to dashboards and A P I s. Microsoft acknowledged the error, shipped a service-side fix, and said no actual support status changed for those versions. Still, many organizations had automated workflows that opened incidents, escalated to leadership, or triggered remediation playbooks.
What this means (14:13):
When your telemetry is wrong, your priorities follow it. False E O L signals can divert teams from real risks, overwhelm analysts, and damage credibility with business stakeholders. For leaders
Recommendation (14:54):
Validate asset lifecycle data against an authoritative source before auto-remediation; temporarily suppress the misfire while manually watching true E O L systems.
What happened (15:08):
A threat actor advertised a four hundred five megabyte database allegedly containing over one million customer and order records from K F C’s Venezuela operation. Samples shared in criminal forums appear to include names, contact details, order metadata, and limited payment-related fields—not full card numbers. The seller claims recent extraction, though independent verification remains mixed. Local customers reported credential-stuffing attempts shortly after the listing, suggesting some data elements are valid enough for targeted phishing.
What this means (15:49):
Regional brands with fragmented I T can become soft targets, and attackers monetize even partial data sets. Retail and food-service operators face reputational damage, fraud costs, and compliance scrutiny if customer data is exposed. For leaders
Recommendation (16:34):
Initiate forced resets on exposed accounts, tighten anti-fraud checks on high-risk orders, and coordinate a unified customer notice with clear phishing guidance.
What happened (16:49):
New analyses of recent SaaS compromises show attackers often skip passwords by abusing OAuth tokens, A P I keys, and long-lived session cookies. Stolen tokens come from infostealers, build logs, misconfigured repos, or over-permissive integrations, and they’re traded in private channels. Because tokens can outlive password resets and M F A, adversaries maintain silent access until scopes are rotated or revoked. Many organizations still lack inventory, rotation policies, or centralized visibility for these credentials.
Recommendation (17:28):
Set a ninety-day maximum lifetime for tokens, enforce admin consent and least-privilege scopes, and auto-revoke on device or geo anomalies.
That’s the BareMetalCyber Daily Brief for October 10th, 2025. For more, visit BareMetalCyber dot com. You can also subscribe to the newsletter and view the archive of previous headlines at daily cyber dot news. We’re back Monday!
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
The Breakfast Club
The World's Most Dangerous Morning Show, The Breakfast Club, With DJ Envy, Jess Hilarious, And Charlamagne Tha God!