Gov. Tim Walz activated the Minnesota National Guard Tuesday to help St. Paul recover from a sophisticated cyberattack that has crippled city systems since Friday. Mayor Melvin Carter declared a state of emergency, calling it a "deliberate, coordinated digital attack" by external criminals targeting the city's infrastructure. The FBI and cybersecurity firms are investigating alongside the Guard's cyber forces.

City Wi-Fi, internal networks, and online bill payment are down, forcing some workers offline. Libraries and recreation services are also affected, though 911 remains operational. Officials won't restore services until they fully understand the breach's scope.

Source: CBS News Minnesota

The Cybersecurity and Infrastructure Security Agency has added a cross-site request forgery vulnerability in PaperCut NG/MF print management software to its Known Exploited Vulnerabilities catalog. The flaw is currently being exploited by attackers in the wild.

CISA is requiring all federal agencies to patch their systems immediately to prevent potential security breaches. PaperCut NG/MF is widely used across government and enterprise environments for managing printing services, making this vulnerability particularly concerning for organizations running unpatched versions of the software.

Source: The Hacker News

The Python Package Index (PyPI) is warning developers about an ongoing phishing campaign targeting their accounts. Attackers are sending fake verification emails and using lookalike domains to steal credentials from Python developers. The fraudulent emails appear legitimate but direct users to malicious sites designed to harvest login information.

PyPI officials are urging developers to verify email authenticity before clicking links and to enable two-factor authentication. This campaign specifically targets the Python development community, potentially compromising software supply chains if successful.

Source: The Hacker News

The Scattered Spider cybercrime group launched sophisticated ransomware attacks on July 28, 2025, targeting VMware ESXi servers across critical U.S. infrastructure including retail and airline sectors. The hackers used stolen credentials and social engineering to hijack ESXi hypervisors, encrypting multiple virtual machines at once and causing widespread business disruptions.

CISA issued an urgent advisory urging organizations to patch vulnerable ESXi systems and strengthen access controls. Security experts say their evolving tactics make detection increasingly difficult for defenders. The attacks underscore urgent concerns about ransomware threats to virtualized environments that many organizations rely on for core operations.

Source: The Hacker News

Cybercriminals compromised Toptal's GitHub account and published 10 malicious npm packages that downloaded 5,000 times before removal. The packages contained code designed to steal GitHub authentication tokens and completely wipe victim systems using destructive commands. All packages targeted the same preinstall and postinstall scripts, sending stolen data to webhook endpoints before silently deleting files on Windows and Linux machines.

Toptal has since restored safe versions, but the attack method remains unknown. This follows similar supply chain attacks targeting npm and Python repositories with surveillanceware.

Source: The Hacker News

A pro-Ukraine hacking group called Silent Crow claims it successfully attacked Russia's national airline Aeroflot, forcing the cancellation of dozens of flights and causing widespread system failures. The group, working with Belarusian hackers Cyber Partisans, says it compromised Aeroflot's IT infrastructure and threatens to release passenger data. Russian prosecutors confirmed the cyber-attack and opened a criminal investigation.

The disruption mostly affected domestic routes but also flights to Belarus, Armenia, and Tashkent. Passengers were transferred to other carriers. This marks a rare visible impact from the ongoing cyber warfare between pro-Russian and pro-Ukrainian hacking groups since 2022.

Source: BBC News

Hackers accessed personal data belonging to most of Allianz Life's 1.4 million U.S. customers on July 16 through a social engineering attack on a third-party cloud system. The Minneapolis-based insurance company discovered the breach the next day and immediately contacted the FBI.

While Allianz Life's own systems weren't compromised, the attackers obtained personally identifiable information from customers, financial professionals, and some employees. The company is offering affected individuals 24 months of free identity theft protection and credit monitoring. This incident only impacts the U.S. subsidiary, not other Allianz entities worldwide.

Source: CBS News

A new ransomware group called Chaos has launched attacks across multiple sectors, primarily targeting US organizations with some victims in the UK, New Zealand, and India. The gang, which emerged in February 2025, uses sophisticated social engineering tactics—flooding targets with spam emails then impersonating IT security staff over phone calls to trick victims into granting remote access via Microsoft Quick Assist.

Cisco Talos researchers believe Chaos is likely formed by former BlackSuit/Royal gang members based on similar encryption methods and ransom note structures. The group demands large ransoms (one case involved $300,000) and threatens DDoS attacks plus data disclosure if victims don't pay.

Source: Infosecurity

CISA issued urgent security advisories Thursday covering vulnerabilities in devices from Honeywell, Medtronic, Mitsubishi, LG, and Network Thermostat that could allow attackers to execute malicious code or gain administrative access. The flaws affect critical infrastructure including manufacturing equipment, WiFi thermostats in commercial buildings, patient monitors, and security cameras.

Most concerning is a Network Thermostat vulnerability (CVE-2025-6260) with a 9.8 severity score that lets attackers reset credentials remotely. Medtronic's patient monitors contain three vulnerabilities requiring physical access, while Mitsubishi's manufacturing equipment faces DLL hijacking risks. Companies have released patches for most devices, though some older products won't receive fixes.

Source: Industrial Cyber

A Chinese cyberespionage group called Fire Ant has been targeting VMware and F5 vulnerabilities to breach supposedly secure, isolated networks. The hackers exploited critical flaws like CVE-2023-34048 in vCenter Server and CVE-2023-20867 in ESXi to gain complete control over virtualization infrastructure. They then used compromised systems as stepping stones to access guest virtual machines and tunnel between network segments that should've been separated.

Cybersecurity firm Sygnia found the group shows remarkable persistence, quickly adapting when defenders try to kick them out by deploying backup backdoors and changing tactics. The attack methods strongly resemble those used by another Chinese group, UNC3886.

Source: SecurityWeek