Daily Brief

IBM's "Cost of a Data Breach Report 2025" highlights increasing security incidents in AI implementations due to inadequate security and governance measures. Out of 600 surveyed organizations, 13% reported security breaches involving AI, primarily due to insufficient AI access controls, affecting 97% of those impacted. The majority of breaches were linked to third-party vendor compromises, particularly in Software as a Service (SaaS) applications and associated supply chains. Common consequences of these AI-related security incidents included operational disruptions, unauthorized data access, financial losses, and reputational damage. Shadow AI, or the unauthorized use of AI tools within organizations, poses a significant security risk as it often goes undetected, making it a prime target for exploitation. Despite recurring security concerns, 87% of organizations lack proper governance to mitigate AI risks, with many also failing to conduct regular risk assessments or adversarial testing on their AI models. The report underscores a pressing need for better AI security practices as organizations prioritize rapid AI adoption over comprehensive security and risk management.

SafePay ransomware gang claims to have captured 3.5TB of data from IT distributor Ingram Micro and is threatening to leak it. Ingram Micro is a major global provider of IT solutions, including hardware, software, and logistical support. The SafePay ransomware operation, which started in September 2024, has become notable for stealing and potentially leaking victim’s data. The ransomware attack led to a global outage for Ingram Micro, prompting an operational shutdown with employees working remotely. Ingram Micro has responded quickly, managing to restore significant internal systems and functionalities within days of the attack. Despite recovery efforts, SafePay’s potential impact through data leakage remains a concern, with the actual data breach details not confirmed by Ingram Micro. SafePay filling the operational void left by other ransomware groups like LockBit and BlackCat, indicating a strategic and expansive threat landscape.

Hackers are actively exploiting a critical vulnerability in the WordPress 'Alone' theme, specifically in its version up to 7.8.3. The issue, identified as CVE-2025-5394, enables unauthorized file uploads leading to remote code execution and potential site takeovers. Wordfence, a WordPress security firm, has blocked over 120,000 attempts to exploit this flaw, which began before the flaw was publicly disclosed. The vulnerability allows attackers to upload webshells, install PHP backdoors, or create hidden admin accounts, gaining complete control over the affected websites. Several signs of compromise include new admin users, unexplained ZIP/plugin folders, and specific admin-ajax.php requests. Four IP addresses associated with the attack have been identified, suggesting that site administrators should block these immediately. Bearsthemes, the vendor for the Alone theme, released a patch in version 7.8.5 on June 16, 2025, after escalating the issue from early report submissions in May. The exploit comes shortly after a similar attack on another premium WordPress theme, indicating a pattern targeting premium theme vulnerabilities.

Dropbox is discontinuing its password manager, Dropbox Passwords, in phased steps ending October 28. Users should migrate data by the end of October as access will be completely revoked and data securely deleted. Dropbox Passwords will transition to view-only mode on August 28 and the mobile app will stop working on September 11. Dropbox has endorsed 1Password as an alternative, though it may involve a paid subscription post free trial. The decision to discontinue is aimed at refocusing efforts on enhancing other core features of Dropbox's product line. Dropbox faces substantial competition in the password manager market, influenced by offerings from LastPass, 1Password, and tech giants like Apple, Microsoft, and Google. Corporate changes continue as Dropbox has experienced staff layoffs, and the CEO announced cuts in over-invested or underperforming areas.

Minnesota Governor Tim Walz has declared a state of emergency and activated the National Guard in response to a significant cyberattack on Saint Paul. The cyberattack, identified as a deliberate and sophisticated act, targeted the city’s information infrastructure, causing widespread disruption. Critical services like 911 remain operational, but the city’s online payment systems and public Wi-Fi services are disrupted. In response to the ongoing threat, local officials shut down all city information systems as a containment strategy. The nature of the attack was confirmed not to be a glitch or error but a coordinated digital assault by an external entity. The exact perpetrators and whether a ransom demand was made are currently unknown, as investigations continue. The FBI and other federal, state, and local agencies are involved in handling the situation, while St. Paul has enlisted additional support from cybersecurity firms.

The UNC2891 (LightBasin) hacking group attempted to steal cash from ATMs by planting a 4G-equipped Raspberry Pi within a bank's network. Group-IB uncovered the hacking attempt while investigating unusual network activities, revealing the device was directly linked to an ATM network switch. The attackers aimed to spoof ATM authorization and initiate fraudulent cash withdrawals but ultimately failed. The Raspberry Pi served as a stealthy means for the hackers to bypass perimeter security, maintain remote access, and move laterally across the network. Persistent access was enabled by leveraging the TinyShell backdoor, even after the Raspberry Pi was detected and removed. The hackers' activities included sophisticated techniques to avoid detection, such as mounting alternative filesystems to obscure malicious processes. LightBasin, known for its attacks on financial and telecommunication sectors, intended to deploy the Unix kernel rootkit "Caketap," but the attack was disrupted before its full execution.

Cybersecurity researchers discovered an ongoing campaign using Facebook ads to distribute counterfeit cryptocurrency trading apps. These apps deliver JSCEAL malware, capable of stealing credentials and wallet information. Malicious ads exploit either stolen or newly created Facebook accounts to redirect users to fake websites instructing them to download the infected apps. The sophisticated multi-layered attack employs script-based fingerprinting and requires simultaneous operation of the malicious site and installer for execution. If conditions such as IP location or referrer do not match desired parameters, victims are redirected to decoy pages. Deployed DLL modules parse data from fake installations, initiating a comprehensive data exfiltration process, including system information and credentials. The JSCEAL malware, upon confirmation of a valuable target, captures extensive personal data and manipulates web traffic to intercept and alter interactions with financial and crypto services. According to Check Point, the modular malware design, combined with advanced obfuscation techniques, poses substantial challenges for conventional security solutions.

FunkSec ransomware, which emerged in late 2024, primarily targeted the U.S., India, and Brazil across technology, government, and education sectors. The group has reportedly affected 172 entities without adding new victims to its data leak site since March 2025, suggesting inactivity. Cybersecurity experts released a free decryptor for FunkSec ransomware, developed by Gen Digital, and is available via the No More Ransom project. An analysis by Check Point suggested the ransomware's development used AI tools, and it employed the Rust programming language for efficiency and evasion. FunkSec used advanced encryption algorithms Chacha20 and Poly1305, increasing encrypted file sizes by approximately 37%. Researchers did not disclose the method used to develop the decryptor, leaving unclear whether it involved exploiting a cryptographic vulnerability. Victims are advised to verify their files' encryption matches FunkSec characteristics before attempting decryption, with recommendations to backup files to avoid potential data loss.

Apple issued security patches for a high-severity vulnerability (CVE-2025-6558) in Google Chrome, which affected its WebKit software. The flaw involved incorrect validation in the ANGLE graphics abstraction layer that could let attackers execute arbitrary code within Chrome's GPU process. Attackers could exploit the vulnerability through specially crafted HTML pages, potentially bypassing the browser sandbox. CVE-2025-6558 was discovered by Google's Threat Analysis Group and was actively exploited in targeted attacks possibly linked to state-sponsored actors. The Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its catalog of actively exploited vulnerabilities and mandated federal agencies to patch by August 12. Apple’s updates address the flaw across several devices and software, highlighting the potential for unexpected Safari crashes upon exploit. Apple has addressed multiple zero-day vulnerabilities so far in the year, reinforcing the ongoing risks and the importance of timely updates. Network defenders, especially in federal agencies, are urged to prioritize patching to mitigate potential risks from such vulnerabilities.

Palo Alto Networks has confirmed a $25 billion acquisition of CyberArk, an Israeli company specialized in identity security and privileged access management tools. This acquisition marks Palo Alto Network's largest purchase to date and it is structured as a cash-and-stock deal. CyberArk's technologies are increasingly vital for verifying and securing not just human identities, but also machine and AI identities, which are now outnumbering human identities by 40 to 1. The acquisition is part of Palo Alto Network's strategy to integrate comprehensive security capabilities into a unified platform, enhancing their product offerings with various add-ons. Palo Alto Networks CEO Nikesh Arora highlights the growing importance of proper privilege controls for every identity, driven by the surge in AI applications and machine identities. CyberArk investors will receive $45 in cash and 2.2005 shares of Palo Alto Networks for each share they hold, with the transaction expected to finalize in the second half of fiscal 2026. This deal is second only to Google's $32 billion acquisition of Wiz, underscoring a trend of major investments in security technologies this year.

Lenovo has announced updates to fix high-severity BIOS flaws in various all-in-one desktops that could allow attackers to bypass Secure Boot. The security vulnerabilities impact specific models including IdeaCentre AIO 3 24ARR9 and 27ARR9, and the Yoga AIO 27IAH10, 32ILL10, and 32IRH8. These vulnerabilities, identified by security firm Binarly, exploit the System Management Mode (SMM) a highly privileged CPU mode operating outside the OS and hypervisor layers. The reported flaws could potentially enable the deployment of nearly undetectable malware by bypassing operating system-level security measures such as SecureBoot. InsydeH2O, a widely used UEFI BIOS framework in various OEM devices, was highlighted as having vulnerabilities due to specific customizations by Lenovo. Lenovo acknowledged the issues following Binarly's report on April 8, 2025, and has published firmware updates for impacted models as part of a 90-day coordinated disclosure. The company reported that updates for the Yoga AIO series are forthcoming, with expected availability between September 30 and November 30, 2025. These security flaws underscore recurring challenges related to inconsistencies within software supply chains, posing significant risks for stealthy attacks and system integrity breaches.

SMBs increasingly adopt vCISO services due to heightened cyber threats and strict regulations, driving demand to record highs. AI integration allows vCISO providers to handle increased demand efficiently, reducing workload by 68% and allowing for scalable service delivery. The adoption of vCISO services amongst MSPs and MSSPs jumped from 21% in 2024 to 67% in 2025, with 74% of other providers planning to launch by year-end. MSPs and MSSPs recognize substantial business benefits from vCISO offerings, including increased upsells, higher profit margins, and expanded customer bases. Operational barriers such as initial investment and lack of skilled personnel are noted; however, these are not deterring the strategic value and planning for future implementation. A significant 81% of service providers are leveraging AI technologies to optimize various aspects of vCISO operations, with more planning to follow by next year. Looking forward, AI's role in transforming vCISO services is expected to accelerate, greatly enhancing the quality, speed, and scalability of cybersecurity delivery.

Ingram Micro was attacked by the SafePay ransomware group, who threatened to release 3.5 TB of company data. The ransomware incident led to a multi-day outage affecting Ingram Micro's global operations. SafePay set a deadline of August 1 to leak the data if their extortion demands are not met. Despite Ingram Micro’s claim of having restored their operations, some websites are only now becoming operational again. SafePay's leak site listing indicates that Ingram Micro may not have complied with the ransom demands. Ingram Micro has not updated its public information since early July, following the attack’s containment but remains operational globally. Security observers noted ongoing issues with the company’s subsidiary websites in the META region, indicating partial service restoration.

Cybersecurity researchers have uncovered critical vulnerabilities in Dahua smart camera firmware. The identified flaws, specifically in the ONVIF protocol and file upload mechanisms, allow remote, unauthenticated attackers to execute arbitrary commands. These vulnerabilities, tracked as CVE-2025-31700 and CVE-2025-31701, enable potential remote hijacking of the cameras, leading to denial-of-service or remote code execution. Exploitation of these flaws grants attackers root-level access, bypassing firmware integrity checks and enabling the installation of unsigned payloads. The affected models, used in various settings like retail and casinos, are particularly vulnerable if exposed to the internet through port forwarding or UPnP. Dahua has acknowledged the risks, noting denial-of-service attacks as a persisting concern despite some devices having protective features like ASLR.

Chinese companies associated with Silk Typhoon, a state-sponsored hacking group, have filed over 15 patents for cyber espionage technologies. These technologies include tools for forensic analysis, remote access capabilities, and encrypted data harvesting on various devices. The patents highlight the sophistication of Chinese cyber contractors that support state-initiated cyber operations. SentinelOne's findings reveal the complexity of attributing cyber campaigns to specific actors and emphasize the necessity of understanding corporate involvement. The U.S. Department of Justice indicted individuals linked to these companies for cyber attacks exploiting Microsoft Exchange vulnerabilities in 2021. Connections outlined between these employees and firms, such as Shanghai Powerock and Shanghai Firetech, to China's Ministry of State Security. Shanghai Firetech has developed sophisticated tools that extend beyond known capabilities attributed to the hacking groups Hafnium and Silk Typhoon. The relationship between Shanghai Firetech, MSS, and other co-conspirators indicates a structured, strategic partnership enhancing state cyber activities.