Travel on the Cyber Express

A security flaw affecting over 100,000 WordPress websites has been discovered in the AI Engine plugin, specifically impacting versions 2.9.3 and 2.9.4. The vulnerability, classified as an arbitrary file upload vulnerability, allows authenticated users, starting from subscriber-level access, to upload malicious files and potentially gain remote code execution (RCE) privileges on the server. This type of vulnerability could result in full site compromise.  The issue, tracked under CVE-2025-7847, was responsibly reported to Wordfence on July 18, 2025, by a researcher known as ISMAILSHADOW through the Wordfence Bug Bounty Program. The vulnerability was introduced just one day earlier, on July 17. For their timely discovery, the researcher was awarded a bounty of $1,170.  Technical Analysis of the AI Engine Vulnerability  The vulnerability resides in the rest_simpleFileUpload() function of the plugin, which failed to enforce proper file type validation. In affected versions, when the “Public API” option is enabled, which is disabled by default, any authenticated user could interact with the plugin’s REST API endpoint /mwai/v1/simpleFileUpload. Without any configured Bearer Token authentication, this endpoint accepts arbitrary files, including PHP scripts, allowing attackers to place malicious code in the site’s public uploads directory.  The issue lies in the upload_file() function in the Meow_MWAI_Modules_Files class. This function used PHP’s native copy() function to store uploaded files without verifying the file’s MIME type or extension. As a result, attackers could bypass file restrictions and execute PHP scripts uploaded to the server. These scripts could be accessed via a browser, leading to remote code execution, one of the most dangerous outcomes of an arbitrary file upload vulnerability.  Exploitation Conditions  It’s important to notice that this flaw does not impact all AI Engine users. Exploitation requires that:  The “Public API” option in the plugin settings is enabled.  No Bearer Token or custom authentication method has been configured.  The user is authenticated (even a subscriber role is sufficient).  When these conditions are met, the plugin’s REST endpoint becomes vulnerable, giving low-level users a pathway to execute malicious server-side code.  Patch and Remediation  On July 22, 2025, the plugin developer, Jordy Meow, responded quickly and released version 2.9.5, which includes a fix. The patch introduces proper validation using WordPress’s built-in wp_check_filetype() function in both the simpleFileUpload() and upload_file() methods. This ensures only permitted file types are accepted, effectively mitigating the vulnerability.  Security Measures and Timelines  July 18, 2025: Vulnerability submitted to Wordfence.  July 18, 2025: Validated and disclosed to the developer via the Wordfence Vulnerability Management Portal.  July 21, 2025: A firewall rule was deployed to Wordfence Premium, Care, and Response users.  July 22, 2025: Patched version 2.9.5 of AI Engine released.  August 20, 2025: Protection will be available to Wordfence Free users.  Wordfence’s rapid response helped narrow the opportunity for exploitation. Still, due to the seriousness of the CVE-2025-7847 vulnerability, all users of the AI Engine plugin are urged to update to version 2.9.5 or later immediately, particularly if their site has the Public API feature enabled.  Conclusion  The CVE-2025-7847 vulnerability in the AI Engine plugin stresses the importance of proper input validation and access control, especially for plugins with public API features. Even minor oversights can lead to serious security risks like remote code execution. With AI Engine’s widespread use, ensuring REST API endpoints are secured with authentication is essential. 

China’s top cybersecurity authority, the Cyberspace Administration of China (CAC), has officially summoned representatives from Nvidia to address alleged security vulnerabilities in its AI chips sold in the country. The specific focus is on Nvidia H20 chips, a custom version designed for the Chinese market amid strict U.S. export controls.  The CAC announced that it had raised concerns with Nvidia over potential “backdoor security risks” embedded in the Nvidia H20 chips. Chinese regulators are demanding an explanation from the U.S. tech giant, along with supporting documentation detailing any vulnerabilities or embedded tracking capabilities.   The CAC’s statement, posted on official social media channels, cited U.S. expert opinions indicating that location tracking and remote shutdown features for Nvidia chips “are already matured” and could pose a national security risk.  The H20 Chip: A Workaround for U.S. Export Restrictions  The Nvidia H20 chips were developed as a toned-down version of Nvidia’s high-performance AI processors. These were intended to comply with restrictions imposed by the U.S. government, which has barred the export of certain advanced chips to China due to national security concerns. Nvidia recently announced that it would resume H20 sales in China after U.S. authorities signaled a softening of the licensing requirements that had previously halted exports, reported The Wall Street Journal. U.S. Lawmakers Push for Stricter Controls  Despite the resumption of sales, Nvidia is not free from scrutiny on the home front. U.S. lawmakers are currently pushing for legislation that would require AI chipmakers, including Nvidia, to embed location tracking technology in their products to monitor their use overseas. This proposed requirement is raising concerns in China and adding pressure on Nvidia, which is attempting to maintain compliance with both governments while sustaining its massive presence in the Chinese market.  Nvidia Reaffirms Commitment to the Chinese Market  Nvidia CEO Jensen Huang traveled to Beijing earlier this month in a bid to reassure Chinese stakeholders. During his visit, Huang stated that local officials conveyed a message of stability and openness. “They want to know that Nvidia continues to invest here, that we are still doing our best to serve the market here,” he said, as reported by The Hindu. China’s Shift Toward Domestic Alternatives  The CAC’s move to summon Nvidia may also be part of China’s broader strategy to reduce dependence on foreign technology. President Xi Jinping has repeatedly stressed the importance of self-reliance in strategically critical sectors such as AI and semiconductors. In line with this vision, Chinese authorities are promoting alternatives like Huawei’s 910C chip to compete directly with foreign-made processors such as the Nvidia H20 chips.  Nvidia’s challenges in China come amid broader economic issues facing the country, including a prolonged property market crisis and increased trade headwinds that have persisted since the Trump administration. The latest developments reflect how Nvidia and other global tech firms are caught in the crossfire of a digital cold war between two superpowers. Conclusion Despite its recent milestone of hitting a $4 trillion market valuation, Nvidia is facing mounting pressure on both geopolitical and regulatory fronts. Ongoing scrutiny from U.S. lawmakers and the Cyberspace Administration of China over the security of its H20 chips has raised new challenges for the company’s operations in China. The situation reflects broader tensions between Washington and Beijing, as both governments tighten their grip on key technologies and digital infrastructure.

Apple has rolled out a wide-ranging series of Apple security updates and Rapid Security Responses, spanning iOS, iPadOS, macOS, tvOS, watchOS, and visionOS. These carefully coordinated Apple security releases provided vital patches for vulnerabilities affecting millions of devices across its ecosystem.  The updates included iOS 18.6 and iPadOS 17.7.9 for iPhones (XS and later) and a range of iPads, including iPad Pro, Air, and mini models. macOS received three separate updates: version 15.6 for Sequoia, 14.7.7 for Sonoma, and 13.7.7 for Ventura, targeting compatible Mac systems.   Apple Watch Series 6 and newer received watchOS 11.6, while Apple TV HD and all Apple TV 4K models were updated to tvOS 18.6. Additionally, visionOS 2.6 was released specifically for the Apple Vision Pro, rounding out a sweeping set of Apple security releases and Rapid Security Responses aimed at addressing key vulnerabilities and enhancing system stability across all devices.  Details of the Apple Security Updates  iOS 18.6 and iPadOS 18.6  These updates bring improvements to accessibility, system libraries, WebKit, and media frameworks for supported iPhones (starting from iPhone XS) and a wide array of iPads.Highlights include:  Accessibility issues fixed: VoiceOver no longer reads passcodes aloud, and privacy indicators now display properly.  WebKit received critical patches that resolve memory corruption, address-bar spoofing, Safari crashes, denial-of-service flaws, and data leakage.  Media frameworks (CoreMedia, CoreAudio, Model I/O, ImageIO) were hardened against crafted-file crashes and buffer overflows.  CoreMedia Playback now enforces strict permission checks to protect sensitive user data.  System libraries (libxml2, libxslt, ICU, libnetcore) were stabilized to reduce crash risks from untrusted content.  Mail Drafts now respects the “Load Remote Images” setting correctly.  Metal received fixes to prevent crashes via malformed textures.  CFNetwork now resists unauthorized network configuration changes by low‑privilege users.  iPadOS 17.7.9  Specifically targeting older iPads, the iPad Pro 12.9‑inch 2nd generation, 10.5‑inch, and 6th generation, this update resolves vulnerabilities that could compromise privacy, memory safety, and app behavior. Major fixes include:  Accessibility: privacy indicators restored for microphone and camera access.  CFNetwork: patched flaws allowing low-privilege network modification and crashes.  copyfile: symlink validation now blocks apps from accessing protected data.  CoreMedia / Playback: out‑of‑bounds checks and permissions sanitization.  Find My: protections added to prevent user fingerprinting.  ICU & ImageIO: improved validation to block crafted‑content crashes and memory leaks.  Kernel: remote-triggered shutdown bugs have been fixed.  libxslt: open-source bug patched to prevent memory corruption.  Mail Drafts: remote images are now blocked when disabled.  Notes: logging now hides sensitive data.  Sandbox profiles: tightened to prevent access to persistent device identifiers.  WebKit: multiple vulnerabilities addressed, including crashes, use-after-free issues, and denial-of-service exploits.  macOS Sequoia 15.6  This substantial Apple security release addressed over 90 vulnerabilities in Sequoia, tackling privilege escalation, memory corruption, sandbox escapes, and denial-of-service weaknesses. Key areas patched include:  AppleMobileFileIntegrity, Kernel, CoreServices, DiskArbitration, StorageKit, and libxpc: closing gaps that could allow root access or elevate privileges.  Sandbox escape paths in Archive Utility, File Bookmark, Notes, Directory Utility, NSSpellChecker, and SharedFileList.  Memory integrity improvements in CoreAudio, CoreMedia, ICU, Metal, Model I/O, and Power Management.  A sweep of WebKit fixes targeting XSS, memory corruption, denial-of-service, and data leaks.  Reinforced file and network security in copyfile, CFNetwork, libnetcore, and zip.  Core OS services, including SecurityAgent, WindowServer, Software Update, System Settings, Find My, RemoteViewServices, and Voice Control, were patched for privilege misuse and secure data handling.  macOS Sonoma 14.7.7 & Ventura 13.7.7  These two versions build on the Rapid Security Responses foundation by patching critical threats in systems still widely in use. Both releases include:  Fixes for privilege escalation (AppleMobileFileIntegrity, libxpc, Core Services, PackageKit).  Remediation of sandbox escape vectors in Notes, SceneKit, SharedFileList, and File Bookmark.  Stability upgrades for CFNetwork, CoreMedia, ICU, libxslt, GPU drivers, and others.  Resolved arbitrary code execution opportunities via Finder, LaunchServices, Disk Images.  Data exposure holes sealed in Security, WindowServer, and System Settings.  Kernel and HTTPS proxy protections, plus memory-hardening in WebContentFilter.  Wide-ranging improvements in ScanKit, Power Management, Shortcuts, StorageKit, and more.  tvOS 18.6  Available for all Apple TV HD and 4K units, this update patches memory-related flaws and web vulnerabilities in the tvOS environment. Highlights include:  Better memory safety in afclip, CoreAudio, CoreMedia, Model I/O, Metal, and WebKit.  Protection against unauthorized data access in CoreMedia Playback and ImageIO.  Fixes for denial-of-service in CFNetwork, WebKit, and others.  Patches for open‑source library issues in libxml2, libxslt, and WebKit.  visionOS 2.6  This security update for the Apple Vision Pro platform mirrors many of the tvOS improvements and strengthens the AR/VR OS. The updates include:  Memory integrity patches in afclip, CoreAudio, CoreMedia, Metal, Model I/O, and WebKit.  Data protection improvements in CoreMedia Playback, ImageIO, and WebKit.  Input validation and DoS protection in WebKit and CFNetwork.  Open‑source fixes for libxml2, libxslt, and WebKit vulnerabilities.  Conclusion  The recent Apple security updates, along with Rapid Security Responses, address a range of vulnerabilities across multiple platforms. The company has provided detailed Apple security releases with CVE references, reflecting ongoing collaboration with security researchers worldwide. Users of devices such as iPhone, iPad, Mac, Apple Watch, Apple TV, and Vision Pro should install these updates promptly to help protect their systems and data. 

Data breaches in the U.S. are getting more costly even as they’re getting cheaper in the rest of the world.  That was one of the conclusions in the new IBM-Ponemon Institute 2025 Cost of a Data Breach report, which also found that AI is playing a significant role in cybersecurity, both as an attack vector and as a defensive measure.  While AI is becoming a significant attack target, AI-powered cybersecurity defenses have significantly cut data breach costs, the report found.  Global Average Data Breach Cost Falls but AI Becomes a Target While the global average cost of a data breach fell 9% from the 2024 report to $4.44 million – the first decline in five years – the U.S. saw a 9% increase to $10.22 million, an all-time high for any global region. The U.S. increase was largely due to higher regulatory penalties and rising detection costs, the report said.  The global decline was fueled by faster breach containment driven by AI-powered defenses, the report said. At the same time, 16% of breaches involved some use of AI by attackers, often in phishing and deepfake attacks.  AI itself is becoming a significant vulnerability, IBM and Ponemon found. “What we’ve found is concerning: organizations are skipping over security and governance for AI in favor of do-it-now AI adoption,” the report said. “Those ungoverned systems are more likely to be breached—and more costly when they are.”  As a result, 97% of AI-related security breaches involved AI systems that lacked proper access controls. Most breached organizations also have no governance policies in place to manage AI or prevent shadow AI, the report said.  In all, 13% of organizations reported breaches that involved their AI models or applications. The most common security incidents occurred in the AI supply chain, through compromised apps, APIs or plug-ins. The incidents led to a broader data compromise in 60% of cases, and operational disruption in 31% of incidents.  “The findings suggest AI is emerging as a high-value target,” the report said.  Another 20% said they suffered a breach due to security incidents involving shadow AI. Organizations with high levels of shadow AI faced data breach costs that were $670,000 higher than those that had low levels of shadow AI or none. Those incidents also resulted in high rates of personal identifiable information (65%) and intellectual property (40%) data being compromised.  “And that data was most often stored across multiple environments, revealing just one unmonitored AI system can lead to widespread exposure,” the report said. “The swift rise of shadow AI has displaced security skills shortages as one of the top three costly breach factors tracked by this report.”  Even among organizations that have AI governance polices, only a third perform regular audits for unsanctioned AI. “It shows AI remains largely unchecked as adoption outpaces both security and governance,” IBM and Ponemon said.  AI Security Defenses Cut Data Breach Costs One bright spot in the report is that security teams using AI and automation shortened their breach times by 80 days and lowered their average breach costs by $1.9 million over organizations that don’t use those solutions.  “Nearly a third of organizations said they used these tools extensively across the security lifecycle—in prevention, detection, investigation and response,” the report said. “However, that figure is up only slightly from the previous year, suggesting AI adoption may have stalled. It also shows the majority are still not using AI and automation and, therefore, aren’t seeing the cost benefits.”  Time to identify and contain a breach fell to 241 days, a nine-year low and continuing a downtrend that began after a 287-day peak in 2021.  Malicious insider attacks were the most costly breaches, at $4.92 million, followed by third-party vendor and supply chain attacks at $4.91 million. Other expensive attack vectors included vulnerability exploitation and phishing, which was the most frequent type of attack vector, followed by supply chain compromises (image below). Initial attack vectors (IBM-Ponemon)   Healthcare breaches were the most costly, followed by those affecting financial organizations (chart below). Cost of a data breach by industry (IBM-Ponemon) More ransomware victims refused to pay a ransom – 63%, up from 59% in the 2024 report – and law enforcement involvement declined significantly, from 52% to 40% of incidents. The average cost of an extortion or ransomware incident remained high at $5.08 million.  Breaches identified by internal security teams cost less than those first disclosed by third parties or attackers ($4.18 million vs. $5.08 million for attacker-disclosed breaches), as security teams are able to respond faster when they detect attacks first.  The report examined 600 organizations impacted by data breaches between March 2024 and February 2025. Ponemon researchers interviewed 3,470 security and C-suite business leaders with firsthand knowledge of the data breach incidents.   

The financial capital of India, Mumbai, has suffered staggering financial losses amounting to Rs 1,127 crore (approximately $135 million) between January 2024 and March 2025. According to data released by the Mumbai Police, many of these losses, nearly 85%, were due to cyber frauds and scams.  The latest figures expose a deepening crisis. Of the total loss, Rs 964 crore ($115 million) was swindled through elaborate scams involving fraudulent stock market schemes, fake cryptocurrency investments, and misleading digital platforms.   There is also a  sharp increase in digital arrest scams, a particularly insidious form of cyber fraud. In one widely publicized case, an elderly woman from South Mumbai was duped into believing she was under investigation for money laundering. Fraudsters posing as law enforcement officers allegedly held her in isolation within her own home for nearly two months, coercing her into transferring Rs 20 crore ($2.4 million) to overseas accounts.  In another case, a commercial pilot was conned out of Rs 3 crore ($360,000) through a bogus trading app that promised hefty returns. Underreporting of Cyber Frauds and Legal Barriers  Cybercrime legal experts warn that the actual extent of the damage may be underreported. “Victims often choose silence due to the fear of social stigma or mental trauma,” one expert noted. Adding to the problem is the fact that many of these complaints are not even registered as First Information Reports (FIRs), making it harder for law enforcement agencies to pursue justice or recover funds, as reported by The Times Of India. The first quarter of 2025 alone saw digital arrest scams rob Mumbai residents of Rs 73 crore ($8.75 million). During the same period, cyber fraud involving fake investment opportunities cost victims another Rs 118 crore ($14.13 million). Credit card fraud (Rs 34 crore) and sextortion scams (Rs 47 crore) also form a part of the cyber fraud landscape. Banks, Crypto, and Cross-Border Challenges  Another growing concern is the use of mule accounts, bank accounts used by cybercriminals to launder money. Despite widespread cybersecurity campaigns and awareness programs, experts point to a glaring lack of accountability among financial institutions. “Banks continue to enable cyber fraud by failing to monitor suspicious transactions effectively,” said one cybercrime investigator. “The Reserve Bank of India must enforce stricter regulations, including penalties for non-compliance.”  The global reach of these cybercrimes adds another layer of complexity. Frequently, the stolen funds are converted into cryptocurrency and moved offshore, putting them beyond the reach of Indian law enforcement. This international element makes tracking and prosecuting perpetrators especially challenging.  Conclusion  Despite the rise in cyber fraud, experts are proposing proactive solutions to address both the financial and emotional toll on victims. Initiatives like a proposed Digital India Insurance scheme could offer critical financial protection, while the establishment of cyber trauma centers aims to support those facing psychological distress.   At the same time, authorities continue to stress the need for personal vigilance, warning the public to be cautious of too-good-to-be-true investment offers and to report suspicious activity immediately via the national cybercrime helpline 1930.  

A major security flaw has been detected in the popular PHP framework CodeIgniter4. The tag of a critical vulnerability, CVE-2025-54418, was officially disclosed on July 26, 2025, targeting users with file upload attacks that could compromise millions of web applications worldwide.  The vulnerability affects CodeIgniter4, specifically versions prior to 4.6.2, and has received a maximum severity rating based on the CVSS v3.1 scoring system: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating high risk in terms of confidentiality, integrity, and availability. This means attackers require no privileges or user interaction to exploit the flaw, making it especially dangerous.  What Is CVE-2025-54418?  According to the official GitHub advisory, CVE-2025-54418 is a command injection vulnerability in CodeIgniter4’s ImageMagick handler, part of its image processing component. Applications that rely on ImageMagick for image manipulation, particularly through the resize() and text() methods, are at risk, especially if they accept user-controlled input such as filenames or text content.  Quoting the advisory, “CodeIgniter4’s ImageMagick Handler has Command Injection Vulnerability,” and further explains that an attacker can upload files with malicious filenames containing shell metacharacters, which may be executed when the image is processed. Alternatively, malicious text content supplied by users to the text() method can trigger the same result.  Who Is Affected?  Any application built with CodeIgniter4 that uses:  ImageMagick (imagick) as the image library, and  Accepts user-uploaded files with controllable filenames, or  Processes user-supplied text via the text() method  These conditions create an opening for an attacker to run arbitrary commands on the host system, potentially leading to a full system compromise.  The Fix and Workarounds  To address this CodeIgniter vulnerability, the framework’s maintainers have released a patch in version 4.6.2. All developers are strongly encouraged to upgrade immediately to this version or later.  For those unable to upgrade, several workarounds have been suggested:  Switch to the GD image handler (the default handler), which is not affected by this issue.  Avoid using user-provided filenames. Instead, use secure alternatives like getRandomName() or store(), which generate safe filenames automatically.  If user-controlled text input is essential, sanitize it rigorously using regular expressions like: preg_replace(‘/[^a-zA-Z0-9\s.,!?-]/’, ”, $text) Additionally, all text options should be validated to ensure safety.  Conclusion  The recently disclosed CodeIgniter vulnerability, CVE-2025-54418, was reported by GitHub user @vicevirus, with a fix implemented under the guidance of CodeIgniter4 maintainer @paulbalandan. Cataloged in the GitHub advisory database as GHSA-9952-gv64-x94c, this critical flaw highlights the ongoing cybersecurity risks posed by file upload attacks in modern web development.   Despite CodeIgniter’s historically strong security record, this incident again puts us back in the same position where even the most well-maintained frameworks like CodeIgniter4 are not immune to serious threats, particularly when user input and powerful tools like ImageMagick are involved.   Developers are urged to act promptly by upgrading to version 4.6.2 or applying the recommended mitigations, ensuring proper input validation and avoiding unsafe defaults. Proactive steps now are essential to protect systems from exploitation and maintain the integrity of applications built with CodeIgniter4. 

Vaibhav Dutta, Associate Vice President and Global Head-Cybersecurity Products & Services at Tata Communications The sophistication and continuous threat of cyberattacks have outpaced manual response times, and enterprises are confronting a pivotal truth: the era of reactionary cybersecurity is over. Traditional Security Operations Centres (SOCs) are no longer enough, while businesses are now requiring a new breed of cybersecurity capability – one that is predictive, adaptive, and fast, powered by automation and intelligent augmentation. Autonomous SOCs are no longer a futuristic concept – they are emerging as a necessity. With cybercrime has costed the global economy $9.5 trillion (projected figure) in 2024 and attackers increasingly using generative AI to scale and sharpen threats, organisations cannot afford even a second of lag in their security posture. The next-gen SOC integrates AI, automation, and real-time threat intelligence to monitor, detect, and respond with speed. The goal for enterprises today is to detect threats faster, contain them earlier, and reduce the blast radius of a breach. This shift isn’t just about automating known responses. It’s about building intelligent workflows that combine the scale and speed of machines with the reasoning and strategic thinking of experienced analysts. The security challenge is too vast for either side to win alone. It’s the combination that matters. The Problem with Legacy SOCs Most traditional SOCs are built for a world that no longer exists. These command centres rely heavily on manual processes, siloed threat monitoring, and static playbooks. As enterprise environments become more fragmented – with data flowing between multi-cloud deployments, edge devices, and mobile workforces, the sheer volume of telemetry becomes unmanageable without intelligent augmentation. On average, security teams use over 40 different cybersecurity tools. Correlating these fragmented signals and making decisions in real-time has become a near-impossible task. This operational sprawl does not just slow down response – it creates gaps. The result? Longer Mean Time to Detect (MTTD), longer Mean Time to Respond (MTTR), and lower overall resilience. Why Augmented SOCs Change the Game AI-augmented SOCs use SOAR (Security Orchestration, Automation, and Response) for predefined rules-based actions, but they’re now evolving to incorporate agentic AI – AI systems that are autonomous, adaptive, and context-aware. Where traditional SOAR tools follow static playbooks and execute rule-based tasks-such as blocking IPs or enriching alerts-agentic AI can go several steps further. It not only analyses threat signals but also understands the broader context, proposes next steps, and explains its reasoning. While SOAR is effective at automating repetitive actions, agentic AI brings flexibility and judgment into the equation. These systems behave more like intelligent assistants: they adapt to evolving threats, handle unstructured situations, and simulate human-like decision-making. As a result, SOCs are no longer limited to automation alone, but can start to operate with goal-driven intelligence that is dynamic, explainable, and far more effective at managing advanced threats. By fusing SOAR with Agentic AI, augmented SOCs reduce detection and response windows dramatically. Playbooks aren’t just triggered – they evolve. Systems can halt lateral movement, isolate infected endpoints, and even initiate recovery workflows based on contextual judgment, not just static rules. The Real-World Impact Before diving into the operational benefits, it’s important to frame the stakes. Cybercrime is projected to cost the global economy $10.5 trillion in 2025, making it the third-largest economy if measured by GDP. In such a high-stakes environment, enterprises cannot afford delays, false positives, or fragmented defence. In practice, this evolution translates into three immediate benefits: Speed: Integrated automation shifts detection from minutes to seconds. AI can pre-analyse events before humans even see them. Accuracy: Contextual intelligence reduces false positives and prioritises what really matters. Continuity: AI ensures around-the-clock vigilance – even when human analysts are focused elsewhere. From Analysts to Architects This isn’t a story of replacement – it’s a story of elevation. Security teams evolve from reactive responders to architects of intelligent defence systems. They design detection logic, refine AI playbooks, and continuously train their systems using new threat intelligence. AI doesn’t steal jobs – it changes them. And for forward-thinking enterprises, that’s an opportunity. Conclusion As the cyber threat landscape intensifies, success will come not from full autonomy but from thoughtful augmentation. Enterprises shouldn’t aim for an autonomous SOC, but for an intelligent one. The future belongs to AI-augmented operations where machines act faster and humans think deeper. For organisations navigating increasingly complex digital ecosystems, the focus must shift from automation for the sake of scale to augmentation for the sake of resilience. AI-augmented SOCs represent that balance – and that future.

The state of Minnesota has activated the National Guard to assist the city of St. Paul after a massive cyberattack disrupted internal systems and city services. Officials described the city of St Paul cyberattack as a “deliberate, coordinated, digital attack” by hackers, prompting an emergency declaration and a full-scale response involving local, state, and federal agencies. Governor Tim Walz announced that he had signed an executive order authorizing the deployment of the Minnesota National Guard’s cyber protection teams. “The magnitude and complexity of the cybersecurity incident have exceeded the city’s response capacity,” the governor said. “The Minnesota National Guard’s cyber forces will collaborate with city, state, and federal officials to resolve the situation and mitigate lasting impacts. Above all, we are committed to protecting the safety and security of the people of Saint Paul.” State of Emergency Declared St. Paul Mayor Melvin Carter declared a state of emergency to streamline the city’s response and secure additional resources. The order authorizes the city’s Department of Emergency Management and the Office of Technology and Communications (OTC) to coordinate efforts with partner agencies. “Protecting the integrity of our city’s digital infrastructure is critical to the safety and wellbeing of our residents and citywide operations,” Mayor Carter said. “While this security incident disrupted some of our internal systems, our top priority remains ensuring our emergency response continues without interruption.” City officials said that in the early hours of July 25, cybersecurity monitoring systems detected suspicious activity on the city’s network. A rapid investigation confirmed that malicious actors were targeting St. Paul’s information systems. In an effort to contain the threat, officials proactively restricted access to affected networks and then initiated a full shutdown of internal systems. Systems Shut Down to Contain City of St Paul Cyberattack The shutdown due to city of St Paul cyberattack led to citywide service outages, including the loss of Wi-Fi in government buildings, disruptions to the library collection management system, and the temporary suspension of several internal applications. However, Mayor Carter emphasized that essential services, including public safety and emergency response, remain fully operational. “This was not a system glitch or technical error,” Carter said during a press briefing. “This was a deliberate, coordinated digital attack, carried out by a sophisticated external actor—intentionally and criminally targeting our city’s information infrastructure.” The Saint Paul city has activated its Emergency Operations Center to lead the response. According to OTC Director Jaime Wascalus, the city is working around the clock with the Minnesota Information Technology Services team, national cybersecurity partners, and federal law enforcement agencies, including the FBI, to investigate the incident. “We are the victim of a serious crime,” Wascalus said. “In response, we have mobilized every available local, state, and federal partner to support our investigation and response efforts. We continue to assess this situation in real time.” National Cybersecurity Support Mobilized As part of the emergency response to city of St Paul cyberattack, the city has retained two national cybersecurity firms with extensive expertise in dealing with large-scale data breaches. These experts will support the restoration of systems, the strengthening of network defenses, and the investigation into the origin of the city of St. Paul cyberattack. Mayor Carter confirmed that he had spoken directly with Governor Walz and formally requested the Minnesota National Guard’s support. “Their cybersecurity experts are now actively assisting us in securing, restoring, and rebuilding our digital infrastructure,” he said. The National Guard’s cyber protection team is expected to provide additional technical capacity to speed up system recovery and reduce the risk of further compromise. Source: https://mn.gov/governor/ Ongoing Investigation City leaders have not yet disclosed the identity of the attackers or their motives, citing the sensitivity of the ongoing investigation. They also said it is too early to confirm whether any sensitive data was accessed or stolen during the cyberattack on city of St. Paul. “We are urging all city staff to take precautionary steps to safeguard their digital security, in both their professional and personal lives,” Carter said. At press conference, Chief Information Security Officer Stefanie Horvath, Deputy Mayor Jaime Tincher, and Emergency Management Director Rick Schute joined Mayor Carter and OTC Director Wascalus to outline the coordinated effort underway. St. Paul Police Chief Axel Henry and Fire Assistant Chief Jeramiah Melquist also briefed the media on how emergency responders are adapting to service disruptions while maintaining readiness for public safety incidents. Protecting Public Trust Mayor Carter reiterated that maintaining the trust of residents is at the center of the city’s response. “From the very beginning of this incident, preserving our ability to deliver emergency services has been a top priority,” he said. “We remain focused on defending our systems, protecting our city, and upholding the trust of the people we serve.” While most city systems remain offline as a precaution, officials said they are making progress in restoring critical functions. “This remains not only an ongoing investigation but an active and dynamic threat,” Carter said. “We are able to provide basic information about what has happened and the steps we are taking in response—but we will not speculate on the motivations of the threat actor or share specific details about the investigation at this time.” Broader Impact Cyberattacks targeting municipal governments have become increasingly common in recent years, often involving ransomware groups seeking financial gain or politically motivated actors attempting to disrupt essential services. Such cyberattacks can paralyze city operations and potentially expose sensitive data, making rapid response critical. Governor Walz emphasized the state’s commitment to helping Saint Paul recover and prevent future attacks. “We are committed to working alongside the City of Saint Paul to restore cybersecurity as quickly as possible,” he said. City officials promised to continue providing updates as they work to assess the full scope of the breach, rebuild secure systems, and return to normal operations. “This breach was intentionally caused by a criminal external threat actor,” Mayor Carter said. “We will not stop until we have restored our systems and ensured the safety and security of our city’s digital infrastructure.”

The FBI and CISA issued updated guidance today on the Scattered Spider threat group, including information on recent attack techniques such as encrypting VMware ESXi servers with DragonForce ransomware.  The advisory, issued in cooperation with security and law enforcement agencies from Canada, Australia and the UK, recommended a number of steps to protect against Scattered Spider cyberattacks, including three urgent actions:  Maintain isolated, offline backups of data that are tested regularly.  Implement phishing-resistant multifactor authentication (MFA).  Implement application controls to manage and control software execution.  Scattered Spider Attack Techniques Scattered Spider, which has been behind recent attack campaigns targeting the insurance, retail and other sectors, has been known for some aggressive attack techniques.  These have included posing as company IT or helpdesk staff using phone calls or SMS messages to steal credentials from employees, directing employees to run remote access tools that enable initial access, and convincing employees to share their one-time passwords (OTPs) for multi-factor authentication.  Most recently, Scattered Spider actors have posed as employees to convince IT or helpdesk staff “to provide sensitive information, reset the employee’s password, and transfer the employee’s MFA to a device they control on separate devices.”  Scattered Spider, which is also known as UNC3944, Scatter Swine, Oktapus, Octo Tempest, Storm-0875, and Muddled Libra, has also sent repeated MFA notification prompts to try to get employees to accept the prompt, an attack technique known as MFA fatigue.  The threat actors have also been able to convince cellular carriers to transfer control of a user’s phone number to a SIM card in their possession to gain control over the phone and MFA prompts.  The FBI has observed Scattered Spider threat actors using as many as a dozen legitimate remote access tunneling tools after gaining access to networks, the most recent being AnyDesk and Teleport.sh.  Once persistence has been established on a network, actions have included enumerating Active Directory (AD), performing discovery and exfiltration of code repositories, code-signing certificates, and source code. The threat actors have also activated Amazon Web Services (AWS) Systems Manager Inventory to discover targets for lateral movement and moving to both preexisting and threat actor-created Amazon Elastic Compute Cloud (EC2) instances.  More recent activities have included searching for an organization’s Snowflake access to exfiltrate large volumes of data quickly, “often running thousands of queries immediately,” and deploying DragonForce ransomware onto targeted networks to encrypt VMware ESXi servers.  Protecting Against Scattered Spider Attacks The advisory recommended extensive controls for protecting against Scattered Spider attacks, including:  Application controls for managing, monitoring and controlling execution of software, including allowlisting remote access programs and preventing installation and execution of portable versions of unauthorized remote access and other software.  Monitoring for remote access software loaded only in memory.  Restricting authorized remote access solutions so they can run only from within the network over approved access solutions, such as virtual private networks (VPNs) or virtual desktop interfaces (VDIs).  Blocking inbound and outbound connections on common remote access software ports and protocols at the network perimeter.  Implementing FIDO/WebAuthn authentication or Public Key Infrastructure (PKI)-based MFA.  Enforce account lockouts after a specified number of attempts.  The advisory also referenced May guidance from the UK’s National Cyber Security Centre after Scattered Spider-linked retail incidents, which included:  Monitoring for unauthorized account misuse, such as risky logins within Microsoft Entra ID Protection.  Monitoring Domain Admin, Enterprise Admin, Cloud Admin accounts to ensure that access is legitimate.  Reviewing helpdesk password reset processes, including how the helpdesk authenticates employee credentials before resetting passwords, “especially those with escalated privileges.”  Monitoring logins from atypical sources such as VPN services in residential ranges.   

French telecom giant Orange issued red alert as it responds to a cyberattack targeting its “information systems.” Certain services and platforms, of both corporate and regular consumers, facing disruptions due to ongoing response. Orange first detected the cyberattack on Friday, July 25, when its security team saw intrusion on one of its information systems. The telecom provider dialled in its Orange Cyberdefense team who sprung in action “to isolate the potentially affected services and limit the impacts,” Orange said in a press statement. “However, these isolation operations have resulted in the disruption of certain services and management platforms for some of our corporate customers and some consumer services, primarily in France,” it added. The company ensured that it had already identified the issues and were working on solutions that under “heightened vigilance” will allow a gradual restoration of the important services by Wednesday morning, July 30. Also read: Orange Recovers from Cyberattack, Restoring Internet to Spanish Customers Orange telecom has a strong presence across Europe, Africa and the Middle East. In fact, in MEA, every three out of 10 people are Orange customers. It serves more than 291 million customers worldwide and the breach has definitely got them worried. But to calm the nerves Orange stated: “At this stage of the investigation, there is no evidence to suggest that any customer or Orange data has been extracted. We remain vigilant in this regard.” The telecom giant did not respond any further requests that would ascertain the exact type of cyberattack. It said, “For obvious security reasons, Orange will not comment further. The Orange cyberattack is not an isolated incident. The French telecommunications industry has been a primary target for adversaries in the past two years, revealed a recently published report from the Computer Emergency Response Team of France that operates under the French cybersecurity agency, ANSSI. Espionage has been the main reason for these attacks and ANSSI stated it has already dealt with significant compromises of information system operators in this sector for this purpose. Pointing to the Salt Typhoon’s attacks on the U.S. telecom sector, the French cybersecurity agency said, “The telecommunications sector as a whole is regularly and significantly targeted by groups of attackers believed to be linked to China, particularly in Asia. Also read: Salt Typhoon Cyberattack: FBI Investigates PRC-linked Breach of US Telecoms It also revealed that in one particular instance, the state-sponsored attackers compromised the core mobile network of an unnamed telecommunications provider in the country. “The main characteristics of the modus operandi observed during this compromise were a good knowledge of the communication protocols specific to the sector and a focus on equipment that is unconventional or rarely supervised by security solutions.” In another instance, an operator’s satellite communication infrastructure was deeply compromised for several years, enabling the attacker heightened privileges to conduct sabotage actions. Another telecommunications operator received ANSSI’s assistance in removing a malicious actor present in its systems since at least December 2022. This attacker, known for targeting the sector again achieved high-level privileges, enabling lateral movement, espionage, and sabotage. Interception of specific communications was confirmed to be a key objective of this threat actor. ANSSI noted that in most cases the cyberattacks were detected years after initial compromise. It anticipates continued targeting of this infrastructure type and urged the telecommunications sector to heighten its vigilance.