St. Paul, Minnesota, Hit by Major Cyber Attack, State of Emergency Declared, National Guard Deployed
- St. Paul detected a major attack on July 25, prompting Mayor Melvin Carter to declare a state of emergency while Governor Tim Walz deployed the Minnesota National Guard’s Cyber Protection Unit for the first time in response to a digital threat, with thirteen members assigned.
- City officials reported “suspicious activity” on internal systems, then shut down affected technology to contain the intrusion; the mayor described a deliberate, coordinated strike by a sophisticated external actor, and Paul Bischoff of Comparitech said the case shows all the signs of ransomware.
- Online payments, library services, and recreation systems were disrupted, emergency response remained available, and police shifted to radio communications; state leaders said the scale exceeded internal and commercial response capacity, signaling a longer road to full restoration.
- The whole-of-government response includes the city’s Emergency Operations Center, Minnesota IT Services, outside vendors, and National Guard cyber forces collaborating to restore services, with the city preparing to rebuild from backups where possible as paying a ransom is viewed as unlikely.
Google Breached — What We Know, What They’re Saying
Article Link: https://securityboulevard.com/2025/08/google-breach-salesforce-shinyhunters/
- Google says ShinyHunters breached a Salesforce Customer Resource Management (CRM) system in June holding, contact details and notes for small and medium business customers.
- A voice call using Mullvad VPN or TOR enrolls a victim, then automated data collection runs over TOR; access was cut after a short window.
- Part of a wider wave hitting Salesforce data at companies such as Cisco, Qantas, and Pandora; no word on ransom or affected counts.
- Google says it ran an impact analysis, began mitigations, and removed access, warning that a leak site may follow.
- Google Cloud Blog: https://cloud.google.com/blog/topics/threat-intelligence/voice-phishing-data-extortion
Cisco Discloses Data Breach Impacting Cisco.com User Accounts
Article Link: https://www.bleepingcomputer.com/news/security/cisco-discloses-data-breach-impacting-ciscocom-user-accounts/
- On August 5, Cisco said a July 24 vishing call duped an employee, letting crooks into a third-party cloud CRM that held Cisco.com account-holder details.
- This slick-talking caller convinced a representative to grant access to the Customer Resource Management (CRM) system. Cisco claims no passwords, no confidential customer data, and no products or services were touched.
- Exposed data includes names, organization names, addresses, Cisco-assigned user IDs, emails, phone numbers, and account metadata such as creation dates. Cisco has not disclosed how many or any ransom demand.
- Access was cut, an investigation began, regulators were notified, and required notices are going out. Cisco is adding protections and retraining staff to spot vishing scams.
New ‘Shade BIOS’ Technique Beats Every Kind of Security
Article Link: https://www.darkreading.com/endpoint-security/shade-bios-technique-beats-security
- Dark Reading previews “Shade BIOS,” a Black Hat 2025 briefing where FFRI Security’s Kazuki Matsuo shows malware running entirely in a PC’s BIOS, out of reach of antivirus, EDR, XDR, and OS defenses.
- The method carries UEFI BIOS into runtime by deceiving the OS loader via the memory map, keeping BIOS functions alive after boot. That creates a parallel environment with its own memory management and drivers, letting attackers use BIOS disk I/O to write files while dodging OS logging such as ETW.
- Unlike classic UEFI bootkits that still lean on the OS, Shade BIOS stays independent, evades OS-level tools, survives reboots and reinstalls, and works across hardware thanks to UEFI standardization. Matsuo notes that these threats are largely seen in national security settings.
- Detection calls for proactive memory dumps and analysis even without alerts. Matsuo will demo an open-source utility, Kraftdinner, and points out that procurement inspections for backdoors are a practical moment to hunt for this class of threat.
Exposed Without a Breach: The Cost of Data Blindness
Article Link: https://securityaffairs.com/180813/security/exposed-without-a-breach-the-cost-of-data-blindness.html
- Security Affairs explains how misconfigurations, over-permissioned accounts, and quiet access can cause breach-level fallout without an intrusion.
- July examples include CVE-2025-53770 in Microsoft SharePoint, an unauthenticated flaw tied to ToolShell that enabled code execution and file access on on-prem servers despite interim mitigations; the Tea app left a Firebase bucket open, leaking 70,000 images among a user base topping 4 million.
- These blind spots often raise GDPR or HIPAA exposure, erode user trust, spark public backlash, and strain legal and communications teams; many Tea users now face the risk of lasting public exposure.
- The post lays out steps to move from snapshot checks to continuous monitoring, practice the principle of least privilege, label and classify important data, track it with rich metadata across platforms, and finally weave these controls into daily workflows.
- CVE-2025-53770: https://nvd.nist.gov/vuln/detail/CVE-2025-53770
Many Workers Admit Using Past Employers’ Passwords After Leaving
Article Link: https://www.scworld.com/news/many-workers-admit-to-using-past-employers-passwords-after-leaving
- A Password Manager report of 1,200 U.S. workers found 40% used passwords from a former employer after leaving, and 27% shared a current employer’s passwords with outsiders.
- Money was a motivator where 33% shared to help others, 53% used old credentials to save for themselves. Entry paths included 60% unchanged after departure, 28% got a password from someone inside, and 20% guessed it.
- Most say they were never caught. 15% still log in to old accounts; 40% kept access for a year or more; 2% tried to disrupt activity.
- According to the report, revoke access immediately at offboarding, comprise an Acceptable Use Policy and combine with regular security and awareness training, enforce Identity and Access Management (IAM), require Multi-Factor Authentication (MFA), use least privilege, and audit for stray logins.
- Survey: https://www.passwordmanager.com/4-in-10-workers-hack-former-employer-passwords-for-personal-use/
Ransomware Goes Cloud Native to Target Your Backup Infrastructure
Article Link: https://www.csoonline.com/article/4033018/ransomware-goes-cloud-native-to-target-your-backup-infrastructure.html
- The Google Cloud Threat Horizons Report (H1 2025) says ransomware groups are moving into cloud platforms to hit backup infrastructure, following data into snapshots and object storage. No sample size provided.
- Threat actors wipe or disable cloud backups early, twist native features like SSE-C encryption and lifecycle policies to re-encrypt or auto-delete data, misuse Azure Blob, Amazon S3 Transfer Acceleration, and Azure Storage Explorer, and bypass MFA using social engineering and stolen OAuth tokens.
- Activity tied to HellCat, Akira, and ALPHV/BlackCat includes finding and wiping “immutable” copies; BlackCat and Rhysida also use cloud services to pull data before encryption. Google flags risks from compromised tokens in CI/CD and introduces Verified CRX Upload to protect non-human identities. Secrets lingering in cloud configurations make their job that much easier.
- The report lays out strong identity and vulnerability management, durable recovery tiers, supply-chain integrity checks, and constant watch for social engineering; Tenable adds least privilege, MFA with just-in-time access, and continuous monitoring for misconfigurations or exposed storage.
- Report: https://services.google.com/fh/files/misc/threat_horizons_report_h1_2025.pdf
The Young and the Restless: Young Cybercriminals Raise Concerns
Article Link: https://www.darkreading.com/cyber-risk/young-cybercriminals-raise-concerns
- Dark Reading flags a surge of minors entering online crime, citing a July 23 FBI Internet Crime Complaint Center alert naming “Hacker Com” and early-July UK National Crime Agency (NCA) arrests of four people, ages 17 to 20, tied to Marks & Spencer and the Co-op.
- Recruiters find these kids in gaming forums, social apps, and in some cases, even at high schools and colleges. Parents can watch out for clues, such as suddenly printing stacks of shipping labels, possessing several gift cards, or unaccounted for cash. In addition, behavioral anomalies deemed off, such as guarding screens, using new “tools” like VPNs or TOR, and dialogue about “easy payouts.”
- A June European Parliament report says recruited minors are participating in over 70% of illegal market activities across categories, with recent cases including “Intel Broker,” young ShinyHunters affiliates, and suspects in recent UK retail hits. This is not harmless screen time.
- The article suggests teaching early diversion and deterrence through digital ethics education, peer messaging on legal risks, sharing clear warnings on social apps, and active parental enforcement. Think of it as setting house rules that go beyond the Wi-Fi password.
Arizona Woman Sentenced for $17M Information Technology Worker Fraud Scheme that Generated Revenue for North Korea
Article Link: https://www.justice.gov/opa/pr/arizona-woman-sentenced-17m-information-technology-worker-fraud-scheme-generated-revenue
- The Department of Justice press release dated July 24, 2025, says Christina Marie Chapman, 50, was sentenced to 102 months for a $17 million scheme that helped North Korean IT workers pose as U.S. hires and funnel revenue to the Democratic People’s Republic of Korea (DPRK), the official name for North Korea. Imagine a “cheat team at a high-stakes blackjack table,” but with payroll.
- Chapman ran a home “laptop farm,” stole 68 identities, and helped place North Korean workers at 309 U.S. companies and two international firms, even trying for two U.S. government agencies; she shipped 49 company devices overseas, and agents later seized 90+ laptops from her house.
- The operation touched Fortune 500 names and routed millions of dollars to a foreign adversary, with prosecutors framing it as a threat to everyday businesses, not just big brands.
- The FBI Phoenix and the State Department issued guidance (link above) for HR teams on spotting North Korean IT workers, with earlier joint advisories in May 2022 and October 2023.
