Daily Brief

Minnesota Governor Tim Walz has declared a state of emergency and activated the National Guard in response to a significant cyberattack on Saint Paul. The cyberattack, identified as a deliberate and sophisticated act, targeted the city’s information infrastructure, causing widespread disruption. Critical services like 911 remain operational, but the city’s online payment systems and public Wi-Fi services are disrupted. In response to the ongoing threat, local officials shut down all city information systems as a containment strategy. The nature of the attack was confirmed not to be a glitch or error but a coordinated digital assault by an external entity. The exact perpetrators and whether a ransom demand was made are currently unknown, as investigations continue. The FBI and other federal, state, and local agencies are involved in handling the situation, while St. Paul has enlisted additional support from cybersecurity firms.

The UNC2891 (LightBasin) hacking group attempted to steal cash from ATMs by planting a 4G-equipped Raspberry Pi within a bank's network. Group-IB uncovered the hacking attempt while investigating unusual network activities, revealing the device was directly linked to an ATM network switch. The attackers aimed to spoof ATM authorization and initiate fraudulent cash withdrawals but ultimately failed. The Raspberry Pi served as a stealthy means for the hackers to bypass perimeter security, maintain remote access, and move laterally across the network. Persistent access was enabled by leveraging the TinyShell backdoor, even after the Raspberry Pi was detected and removed. The hackers' activities included sophisticated techniques to avoid detection, such as mounting alternative filesystems to obscure malicious processes. LightBasin, known for its attacks on financial and telecommunication sectors, intended to deploy the Unix kernel rootkit "Caketap," but the attack was disrupted before its full execution.

Cybersecurity researchers discovered an ongoing campaign using Facebook ads to distribute counterfeit cryptocurrency trading apps. These apps deliver JSCEAL malware, capable of stealing credentials and wallet information. Malicious ads exploit either stolen or newly created Facebook accounts to redirect users to fake websites instructing them to download the infected apps. The sophisticated multi-layered attack employs script-based fingerprinting and requires simultaneous operation of the malicious site and installer for execution. If conditions such as IP location or referrer do not match desired parameters, victims are redirected to decoy pages. Deployed DLL modules parse data from fake installations, initiating a comprehensive data exfiltration process, including system information and credentials. The JSCEAL malware, upon confirmation of a valuable target, captures extensive personal data and manipulates web traffic to intercept and alter interactions with financial and crypto services. According to Check Point, the modular malware design, combined with advanced obfuscation techniques, poses substantial challenges for conventional security solutions.

FunkSec ransomware, which emerged in late 2024, primarily targeted the U.S., India, and Brazil across technology, government, and education sectors. The group has reportedly affected 172 entities without adding new victims to its data leak site since March 2025, suggesting inactivity. Cybersecurity experts released a free decryptor for FunkSec ransomware, developed by Gen Digital, and is available via the No More Ransom project. An analysis by Check Point suggested the ransomware's development used AI tools, and it employed the Rust programming language for efficiency and evasion. FunkSec used advanced encryption algorithms Chacha20 and Poly1305, increasing encrypted file sizes by approximately 37%. Researchers did not disclose the method used to develop the decryptor, leaving unclear whether it involved exploiting a cryptographic vulnerability. Victims are advised to verify their files' encryption matches FunkSec characteristics before attempting decryption, with recommendations to backup files to avoid potential data loss.

Apple issued security patches for a high-severity vulnerability (CVE-2025-6558) in Google Chrome, which affected its WebKit software. The flaw involved incorrect validation in the ANGLE graphics abstraction layer that could let attackers execute arbitrary code within Chrome's GPU process. Attackers could exploit the vulnerability through specially crafted HTML pages, potentially bypassing the browser sandbox. CVE-2025-6558 was discovered by Google's Threat Analysis Group and was actively exploited in targeted attacks possibly linked to state-sponsored actors. The Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its catalog of actively exploited vulnerabilities and mandated federal agencies to patch by August 12. Apple’s updates address the flaw across several devices and software, highlighting the potential for unexpected Safari crashes upon exploit. Apple has addressed multiple zero-day vulnerabilities so far in the year, reinforcing the ongoing risks and the importance of timely updates. Network defenders, especially in federal agencies, are urged to prioritize patching to mitigate potential risks from such vulnerabilities.

Palo Alto Networks has confirmed a $25 billion acquisition of CyberArk, an Israeli company specialized in identity security and privileged access management tools. This acquisition marks Palo Alto Network's largest purchase to date and it is structured as a cash-and-stock deal. CyberArk's technologies are increasingly vital for verifying and securing not just human identities, but also machine and AI identities, which are now outnumbering human identities by 40 to 1. The acquisition is part of Palo Alto Network's strategy to integrate comprehensive security capabilities into a unified platform, enhancing their product offerings with various add-ons. Palo Alto Networks CEO Nikesh Arora highlights the growing importance of proper privilege controls for every identity, driven by the surge in AI applications and machine identities. CyberArk investors will receive $45 in cash and 2.2005 shares of Palo Alto Networks for each share they hold, with the transaction expected to finalize in the second half of fiscal 2026. This deal is second only to Google's $32 billion acquisition of Wiz, underscoring a trend of major investments in security technologies this year.

Lenovo has announced updates to fix high-severity BIOS flaws in various all-in-one desktops that could allow attackers to bypass Secure Boot. The security vulnerabilities impact specific models including IdeaCentre AIO 3 24ARR9 and 27ARR9, and the Yoga AIO 27IAH10, 32ILL10, and 32IRH8. These vulnerabilities, identified by security firm Binarly, exploit the System Management Mode (SMM) a highly privileged CPU mode operating outside the OS and hypervisor layers. The reported flaws could potentially enable the deployment of nearly undetectable malware by bypassing operating system-level security measures such as SecureBoot. InsydeH2O, a widely used UEFI BIOS framework in various OEM devices, was highlighted as having vulnerabilities due to specific customizations by Lenovo. Lenovo acknowledged the issues following Binarly's report on April 8, 2025, and has published firmware updates for impacted models as part of a 90-day coordinated disclosure. The company reported that updates for the Yoga AIO series are forthcoming, with expected availability between September 30 and November 30, 2025. These security flaws underscore recurring challenges related to inconsistencies within software supply chains, posing significant risks for stealthy attacks and system integrity breaches.

SMBs increasingly adopt vCISO services due to heightened cyber threats and strict regulations, driving demand to record highs. AI integration allows vCISO providers to handle increased demand efficiently, reducing workload by 68% and allowing for scalable service delivery. The adoption of vCISO services amongst MSPs and MSSPs jumped from 21% in 2024 to 67% in 2025, with 74% of other providers planning to launch by year-end. MSPs and MSSPs recognize substantial business benefits from vCISO offerings, including increased upsells, higher profit margins, and expanded customer bases. Operational barriers such as initial investment and lack of skilled personnel are noted; however, these are not deterring the strategic value and planning for future implementation. A significant 81% of service providers are leveraging AI technologies to optimize various aspects of vCISO operations, with more planning to follow by next year. Looking forward, AI's role in transforming vCISO services is expected to accelerate, greatly enhancing the quality, speed, and scalability of cybersecurity delivery.

Ingram Micro was attacked by the SafePay ransomware group, who threatened to release 3.5 TB of company data. The ransomware incident led to a multi-day outage affecting Ingram Micro's global operations. SafePay set a deadline of August 1 to leak the data if their extortion demands are not met. Despite Ingram Micro’s claim of having restored their operations, some websites are only now becoming operational again. SafePay's leak site listing indicates that Ingram Micro may not have complied with the ransom demands. Ingram Micro has not updated its public information since early July, following the attack’s containment but remains operational globally. Security observers noted ongoing issues with the company’s subsidiary websites in the META region, indicating partial service restoration.

Cybersecurity researchers have uncovered critical vulnerabilities in Dahua smart camera firmware. The identified flaws, specifically in the ONVIF protocol and file upload mechanisms, allow remote, unauthenticated attackers to execute arbitrary commands. These vulnerabilities, tracked as CVE-2025-31700 and CVE-2025-31701, enable potential remote hijacking of the cameras, leading to denial-of-service or remote code execution. Exploitation of these flaws grants attackers root-level access, bypassing firmware integrity checks and enabling the installation of unsigned payloads. The affected models, used in various settings like retail and casinos, are particularly vulnerable if exposed to the internet through port forwarding or UPnP. Dahua has acknowledged the risks, noting denial-of-service attacks as a persisting concern despite some devices having protective features like ASLR.

Chinese companies associated with Silk Typhoon, a state-sponsored hacking group, have filed over 15 patents for cyber espionage technologies. These technologies include tools for forensic analysis, remote access capabilities, and encrypted data harvesting on various devices. The patents highlight the sophistication of Chinese cyber contractors that support state-initiated cyber operations. SentinelOne's findings reveal the complexity of attributing cyber campaigns to specific actors and emphasize the necessity of understanding corporate involvement. The U.S. Department of Justice indicted individuals linked to these companies for cyber attacks exploiting Microsoft Exchange vulnerabilities in 2021. Connections outlined between these employees and firms, such as Shanghai Powerock and Shanghai Firetech, to China's Ministry of State Security. Shanghai Firetech has developed sophisticated tools that extend beyond known capabilities attributed to the hacking groups Hafnium and Silk Typhoon. The relationship between Shanghai Firetech, MSS, and other co-conspirators indicates a structured, strategic partnership enhancing state cyber activities.

Pillar Security is refining AI security across the software development lifecycle, ensuring trust in AI systems through a holistic security approach. Co-founders Dor Sarig and Ziv Karlinger integrate their backgrounds in offensive and defensive cybersecurity to provide a comprehensive threat mitigation platform. The platform starts with AI threat modeling before coding begins, aligning potential threats with corporate and regulatory requirements. It offers real-time visibility into AI assets and manages risk through robust analysis, adapting defenses to emerging threats. Red teaming is conducted early in development to test and secure AI systems against sophisticated attacks, including real-world scenarios on third-party AI applications using black-box approaches. Adaptive guardrails monitor and enforce security policies during runtime, adjusting to application-specific behaviors and threats. The platform includes a secure sandboxing environment for high-risk AI agents, ensuring containment of any malicious or unintended actions. Throughout its operation, the platform continuously collects telemetry data, enhancing incident investigation and compliance adherence, and can be deployed flexibly across different environments.

Apple released security updates to address a high-severity vulnerability identified as CVE-2025-6558, affecting its Safari browser. The vulnerability was also exploited as a zero-day in Google Chrome earlier in the month, prompting both companies to issue patches. CVE-2025-6558 involves incorrect validation of untrusted input in browser components, potentially allowing sandbox escape via malicious HTML pages. Google's Clément Lecigne and Vlad Stolyarov discovered the vulnerability, highlighting its presence in the wild. The bug affects the WebKit engine used by Safari and could cause browser crashes when processing malevolent web content. Apple’s updates cover its entire software lineup, emphasizing the importance of installing the latest versions to safeguard against potential exploits. No specific instances of the vulnerability targeting Apple users have been reported, though users are advised to update their devices for optimal protection.

Google introduces Device Bound Session Credentials (DBSC) in open beta for Chrome, enhancing security against session cookie theft by binding sessions to the user's device. DBSC deployment aims to prevent unauthorized account accesses and improves session integrity by making it difficult for bad actors to reuse stolen cookies. Google also announces passkey support widely available for over 11 million Google Workspace customers, with added administrative controls and auditing capabilities. A shared signals framework (SSF) is being tested in closed beta to facilitate real-time security information exchange using OpenID, aiming to improve coordinated defense and threat response. Google Project Zero trials a new Reporting Transparency policy to accelerate the closure of the 'upstream patch gap' by publicly sharing vulnerability discoveries within a week of notifying vendors. This transparency initiative includes a 90-day deadline for disclosures, aimed at informing downstream customers and improving overall security by hastening patch deployments. The updates are part of Google’s broader efforts to enhance security measures and maintain robust defense mechanisms across its platforms and user base.

Threat actors exploited a critical SAP NetWeaver vulnerability, CVE-2025-31324, facilitating a malware attack on a U.S.-based chemicals company. The Auto-Color malware, resembling a remote access trojan, targeted the company in April 2025, enabling unauthorized remote access to Linux systems. SAP patched the vulnerability in the same month as the attack, emphasizing the prompt need for system updates to mitigate such security risks. The malware exhibited capabilities for reverse shell access, file management, and avoidance measures, including disappearing if connection to its control server failed. The intrusion was first detected by Darktrace due to a suspicious file download three days after the initial network scan, underscoring the importance of continuous monitoring. The attack's sophistication included manipulation of system settings and potential for self-removal, highlighting the advanced capabilities of Auto-Color malware. This incident marks a significant breach, with implications for security practices in industries with critical infrastructure.