Weekly Cyber News Rollup, October 31st, 2025
This is this week’s cyber news for October 27th through October 31st, 2025. You can also subscribe to the newsletter and view the archive of previous headlines at daily cyber dot news.
First, Microsoft rushed an emergency fix for update infrastructure. Attackers piggybacked on Windows Server Update Services, W S U S, pushing malicious packages through trusted lanes that normally deliver enterprise patches. The outcome was simple and dangerous, as fleetwide compromise could flow from a single approved job. Teams were told to patch W S U S quickly and audit for any unsigned or unexpected updates.
Meanwhile, a zero day hit Oracle E Business Suite. Intruders pried into enterprise resource planning, E R P, modules for finance and supply chain, lifting records and spawning unauthorized administrative sessions. Activity stretched over months and reused infrastructure, suggesting patient access and steady exfiltration. Oracle issued fixes, and customers were urged to patch quickly and review logs for large exports and new high privilege accounts.
At scale, a flaw threatened B I N D resolvers. It enabled cache poisoning in the Domain Name System, D N S, letting attackers redirect sign on flows and updates at scale. Roughly seven hundred thousand servers were flagged as exposed, especially with legacy settings and weak validation. Admins were urged to update B I N D, restrict resolver access, and watch for abrupt name server changes.
Soon after, Google pushed an urgent Chrome security update. The exploited chain was linked to Italian vendor Memento Labs, whose spyware targets high risk users through commercial surveillance programs. Attackers used browser bugs to run code and siphon data before fleet devices refreshed. Enterprises were told to force update and relaunch Chrome and to confirm fixed versions across managed endpoints.
Later, LockBit resurfaced with a rebuilt toolkit. Operators expanded cross platform payloads to hit Windows and Linux systems, adding pressure on virtualization stacks to shorten dwell time. Extortion sites began listing fresh victims as the crew tested quicker movement inside target networks. Defenders were urged to harden remote access, patch public services, and verify fast recovery from offline backups.
Federal defenders got an emergency order. The Cybersecurity and Infrastructure Security Agency, C I S A, ordered agencies to patch a VMware Tools flaw exploited by China. Attackers used guest access to escalate privileges and pivot laterally across virtual estates. Agencies were told to verify patching and check logs for unusual guest to host activity.
Meanwhile, the supply chain was the target. Attackers published look alike packages named PhantomRaven in the Node package manager, N P M, ecosystem to harvest developer tokens at scale. Stolen secrets unlocked source code, continuous integration, C I, pipelines, and private repositories. The incident triggered token rotation and dependency audits across affected projects.
Elsewhere, a polished lure hit executives hard. Attackers sent LinkedIn board invitation messages that led victims to counterfeit Microsoft sign in pages, capturing credentials from finance leaders. This followed business email compromise, B E C, patterns that escalate quickly into wire fraud and mailbox rule abuse. Targets were prompted to reset credentials and to watch for suspicious vendor change requests.
Soon after, Qilin tried a different angle today. The group launched Linux encryptors inside Windows hosts through Windows Subsystem for Linux, W S L, sidestepping common endpoint defenses. Running a Linux payload under Windows created telemetry blind spots and muddied forensic timelines for responders. Investigations described the approach as complicating cleanup and restoration steps.
Amid this, factory floors drew active fire this week. The Cybersecurity and Infrastructure Security Agency, C I S A, warned of exploitation against DELMIA Apriso software running shop floor execution. The alert cited risks to production continuity and to process data inside manufacturing lines. The issues were tracked in the Known Exploited Vulnerabilities, K E V, catalogue, signaling ongoing attacks in the field.
Canada issued a warning about coordinated industrial tampering. Hacktivists reached exposed human machine interfaces, H M I, on water and energy systems and tweaked setpoints using weak credentials. The mechanism was simple exposure of control screens without proper gateways or authentication. Officials urged operators to reduce public access and review changes for any unauthorized setpoint shifts.
Microsoft suffered a global cloud outage. A control plane change blocked sign ins and access across Azure and Microsoft three sixty five, interrupting authentication flows for workloads worldwide. The outcome was broad service disruption and delayed logins in identity centric environments. Service returned gradually following mitigation efforts, and teams were urged to examine failed sign in spikes.
Attackers mass exploited old WordPress plugins. Abandoned or unpatched add ons opened doors for web shells and hijacks, affecting payments, content, and search engine optimization, S E O. The mechanism was simple dependency neglect and long ignored update prompts. Site owners were urged to update or replace abandoned plugins and check for hidden uploaders.
A door access app exposed control calls. The mobile software from Ubiquiti exposed an application programming interface, A P I, that accepted unauthenticated requests on some networks. The outcome was potential door unlocks and rule changes without any login. Admins were advised to segment access and require authentication immediately.
XWiki servers were seized for cryptomining. Attackers exploited remote code execution, R C E, in Solr components to run miners and plant persistent startup tasks that survive reboots. The mechanism abused the search stack to execute arbitrary commands inside the application server. Operators were urged to patch quickly and to inspect startup entries for unauthorized additions.
Researchers flagged hundreds of Android apps abusing tap to pay. The scheme used near field communication, N F C, relay kits masquerading as wallet tools to skim banking details from contactless transactions. Targets were unmanaged devices where security controls and policy checks were inconsistent across installations. The activity was documented in the analysis and confirmed as ongoing across multiple apps.
A new side channel hit Confidential Computing enclaves. In lab tests a low cost physical probe recovered cryptographic keys from memory regions on central processing unit, C P U, boards. The mechanism exploited tiny variations in hardware behavior to infer secret values and degrade enclave assurances. The study concluded that current implementations left measurable leakage and reduced assurances for enclave users.
One link could crash Chromium repeatedly. A crafted Uniform Resource Locator, U R L, triggered a denial of service, D O S, loop that repeatedly crashed the browser. Help desks reported kiosks and shared stations falling over after users opened the malicious link. The behavior was reproducible and disrupted workflows until affected links were removed from circulation.
Google debunked a viral Gmail breach rumor. The company said the reports recycled old credential stuffing data, not new compromise of Google accounts, and amplified confusion across social networks. Support channels saw spikes as users feared unauthorized access and reset passwords in large numbers. The official response said there was no platform breach and clarified the source of the credentials.
Amazon explained a broad internet outage. A race condition inside Domain Name System, D N S, controls triggered retries and outages for workloads tied to one region. The failure rippled to dependent applications and briefly clobbered customer access and status checks. Amazon published its explanation after mitigation, highlighting the dependency risks exposed by the event.
The Cybersecurity and Infrastructure Security Agency, C I S A, ordered urgent fixes for Windows update servers confirmed as under active attack. Agencies moved fast to patch update servers. The directive centered on on premises update paths that normally deliver trusted patches but were abused to move malicious code. Remediation began immediately across affected environments as teams prioritized update infrastructure and watched for unauthorized distribution events.
X announced that security keys must be re enrolled by November tenth. Miss the window and accounts may lock. The policy threatens brand and executive access and can break scheduled posts and platform integrations during lockouts. Teams began re enrolling keys and verifying automation flows to ensure nothing goes dark after the cutoff.
The Cybersecurity and Infrastructure Security Agency, C I S A, warned that DELMIA Apriso manufacturing software from Dassault was under active attack. Factories faced real exploitation this week. The issues were added to the Known Exploited Vulnerabilities, K E V, catalog, signaling confirmed attacks against shop floor execution systems. Operators began planning short patch windows and validating production after updates to keep lines running safely.
Canadian authorities warned that hacktivists were tampering with exposed industrial control systems across the country. Public human machine interfaces, H M I, were the entry. Weak credentials and direct internet reachability let actors change operational settings and cause nuisance outages without needing deeper access. The advisory urged immediate removal from public networks and tighter authentication while owners reviewed recent changes for tampering.
A flaw in Windows Server Update Services, W S U S, let attackers push malware through trusted enterprise update lanes. The abuse was being actively probed. The mechanism was remote code execution, R C E, that turned a control channel into a distribution vector when ports were exposed. Teams closed exposed services and reviewed recent jobs to ensure only legitimate updates had been deployed.
That’s the BareMetalCyber Weekly Roll-Up for October 27th through October 31st, 2025. For more, visit BareMetalCyber dot com. You can also subscribe to the newsletter and view the archive of previous headlines at daily cyber news dot com. We’re back next week.
