IT giant Ingram Micro's systems shut down after SafePay ransomware attack

Publishing note: Metacurity is back from a hiatus, and the following issue recaps the infosec development highlights from July 2 through the morning of July 7. We resume our usual frenetic and detailed pace tomorrow.

Metacurity is a reader-supported publication that requires significant work and non-trivial expenses. We rely on the generous support of our paid readers. Please consider upgrading your subscription to support Metacurity's ongoing work. Thank you.

If you're unable to commit to a subscription today, please consider donating whatever you can. Thank you!

An ongoing outage at IT giant Ingram Micro has been caused by a SafePay ransomware attack that led to the shutdown of internal systems.

Since Thursday, Ingram Micro's website and online ordering systems have been down, with employees suddenly finding ransom notes created on their devices and the company now confirming a ransomware attack struck it.

The ransom note is associated with the SafePay ransomware operation, which has become one of the more active operations in 2025. It is unclear if devices were encrypted in the attack.

It should be noted that while the ransom note claims to have stolen a wide variety of information, this is the generic language used in all SafePay ransom notes and may not be true for the Ingram Micro attack.

Sources say the threat actors breached Ingram Micro through its GlobalProtect VPN platform.

Once the attack was discovered, employees in some locations were told to work from home. The company also shut down internal systems, telling employees not to use the company's GlobalProtect VPN access, which was said to be impacted by the IT outage.

Systems that are impacted in many locations include the company's AI-powered Xvantage distribution platform and the Impulse license provisioning platform. Sources say other internal services, such as Microsoft 365, Teams, and SharePoint, continue to operate as usual.

In a statement, the company said it is working diligently to restore the affected systems so that it can process and ship orders and the Company apologizes for any disruption this issue is causing its customers, vendor partners, and others." (Lawrence Abrams / Bleeping Computer)

Related: Business Wire, Graham Cluley, Reuters, CRN, Daily Chhattisgarh, ARN, Channel News, IB Times, RTT News, Constellation Research, Techzine Europe, TechNadu, Cyber Insider

Last week, Australian airline Qantas disclosed it detected a cyberattack after threat actors gained access to a third-party platform containing customer data.

The airline said the attack has been contained, but a "significant" amount of data is believed to have been stolen. The breach began after a threat actor targeted a Qantas call center and gained access to a third-party customer servicing platform.

In a statement, it said, "There are 6 million customers that have service records in this platform. We are continuing to investigate the proportion of the data that has been stolen, though we expect it will be significant. An initial review has confirmed the data includes some customers' names, email addresses, phone numbers, birth dates, and frequent flyer numbers."

The attack This attack comes as cybersecurity firms warn that hackers known as "Scattered Spider" have begun targeting the aviation and transportation industries.

While it is unclear if this group is behind the Qantas attack, the incident shares similarities with other recent attacks by the threat actors.

On July 7, an airline spokesperson said, “A potential cyber criminal has made contact and we are currently working to validate this."

The spokesperson added, “As this is a criminal matter, we have engaged the Australian federal police and won’t be commenting any further on the details of the contact.

“There is no evidence that any personal data stolen from Qantas has been released but, with the support of specialist cyber security experts, we continue to actively monitor.” (Lawrence Abrams / Bleeping Computer and Caitlin Cassidy / The Guardian)

Related: TechCrunch, Silicon Republic, AppleInsider, The Record, 9to5Mac, Security Affairs, Qantas, Reuters, CSO, BBC, OCCRP, Yahoo Finance, UPI, CyberInsider, BusinessLIVE, Fortune, Forbes, The Guardian, Telegraph, ITPro, Daily Sabah, Information Age, Skift, The Cyber Express, RTÉ, Simple Flying, Al Jazeera, ABC, Infosecurity, Australian Financial Review, Financial Times, Tech Xplore,  SmartCompany, Sydney Morning Herald, The Register, DataBreaches.Net, iTnews, Capital Brief, Australian Financial Review, 9News, ABC, The Japan Times, Bloomberg, Cyber Daily, USA Insurance News, Notebookcheck, NewsBytes, KarryOn, Travel and Tour World, News.com, IT Wire, Australian Cybersecurity Magazine, The West Australian,  Sydney Morning Herald, PerthNow, Stuff.co.nz - Stuff, RNZ News

Researcher Eric Daigle discovered a security vulnerability in a stealthy Android spyware operation called Catwatchful, which has exposed thousands of its customers, including its administrator. 

The flaw spilled the spyware app’s full database of email addresses and plaintext passwords that Catwatchful customers use to access the data stolen from the phones of their victims.

Catwatchful is spyware masquerading as a child monitoring app that claims to be “invisible and cannot be detected,” all the while uploading the victim’s phone’s private contents to a dashboard viewable by the person who planted the app. The stolen data includes the victims’ photos, messages, and real-time location data. The app can also remotely tap into the live ambient audio from the phone’s microphone and access both front and rear phone cameras.

Spyware apps like Catwatchful are banned from the app stores and rely on being downloaded and planted by someone with physical access to a person’s phone. As such, these apps are commonly referred to as “stalkerware” (or spouseware) for their propensity to facilitate non-consensual surveillance of spouses and romantic partners, which is illegal.

According to a copy of the database from early June, Catwatchful had email addresses and passwords on more than 62,000 customers and phone data from 26,000 victims’ devices.

Most of the compromised devices were located in Mexico, Colombia, India, Peru, Argentina, Ecuador, and Bolivia (in order of the number of victims). Some of the records date back to 2018, the data shows.

The Catwatchful database also revealed the identity of the spyware operation’s administrator, Omar Soca Charcov, a developer based in Uruguay who did not respond for comment. (Zack Whittaker / TechCrunch)

Related: Eric Daigle, The Register, Malwarebytes, SC Media, Security Affairs, Tech Radar, Hot Hardware, Tom's Guide, Technology.org

Law enforcement officials are investigating a former employee of DigitalMint, a company that negotiates with hackers and facilitates cryptocurrency payments during ransomware attacks, following allegations that the then-employee struck deals with hackers to profit from extortion payments.

According to one source, DigitalMint President Marc Jason Grens did not identify the employee by name and characterized their actions as isolated.

DigitalMint is cooperating with a criminal investigation into “alleged unauthorized conduct by the employee while employed here,” Grens said. The Chicago-based company is not the target of the investigation and the employee “was immediately terminated,” Grens said, adding that he can’t provide more information because the probe is ongoing. (Jake Bleiberg / Bloomberg)

Related: Cointelegraph, Bleeping Computer, Hot Hardware, The Insurer

The US Treasury Department sanctioned Russian hosting company Aeza Group and four operators for allegedly acting as a bulletproof hosting company for ransomware gangs, infostealer operations, darknet drug markets, and Russian disinformation campaigns.

The Treasury's Office of Foreign Assets Control (OFAC) claims that Aeza's services were utilized by the BianLian ransomware gang, for RedLine infostealer panels, and by BlackSprut, a Russian darknet marketplace that sold drugs to individuals in the United States and worldwide.

Aeza was previously linked to a Russian disinformation campaign known as "Doppelgänger," which cloned legitimate European and US media sites to distribute propaganda targeting Western audiences.

OFAC has also sanctioned four individuals who the US says are the primary operators of the Aeza Group, including Arsenii Aleksandrovich Penzev (Penzev), the CEO and 33% owner of Aeza Group, Yurii Meruzhanovich Bozoyan (Bozoyan), the general director and 33% owner of Aeza Group, Vladimir Vyacheslavovich Gast (Gast), the technical director for Aeza Group and collaborates closely with Penzev and Bozoyan, and Igor Anatolyevich Knyazev (Knyazev) is the 33% owner of Aeza Group and manages the company in the absence of Penzev and Bozoyan.

Russian media previously reported that Bozoyan, Penzev, and other staff members were arrested in April for "illegal banking activities as part of an organized criminal group" and the hosting of the BlackSprut drugs marketplace. (Lawrence Abrams / Bleeping Computer)

Related: Treasury Department, Cointelegraph, Bitcoinist, Dark Reading, IT Pro, The Record, SC Media, Security Affairs, GovInfoSecurity, CyberScoop, The Defiant, Chainalysis, The Kyiv Independent, UPI

The US Justice Department and FBI announced an arrest and indictments targeting North Korea’s so-called “IT worker” program, where North Koreans obtain remote IT-related positions at more than 100 US companies and use that access to steal money and information from a host of companies around the world.

The North Korean workers used compromised identities of more than 80 US citizens to obtain remote jobs at more than 100 US companies and caused more than $3 million in legal fees, remediation, and other costs, according to the DOJ.

They also allegedly stole at least $900,000 worth of cryptocurrency from one Georgia-based company with their access, along with employer data and source code, including International Traffic in Arms Regulations (ITAR) data, from a California-based defense contractor, the DOJ said.

The authorities' actions included one arrest, two indictments, searches of more than two dozen US locations hosting multiple laptops used by remote North Korean workers, and the seizure of financial accounts and websites used by the participants as part of the alleged scheme, according to a DOJ statement.

Zhenxing “Danny” Wang and Kejia Wang, both US citizens, were indicted as part of the operation, according to the DOJ. Zhenxing Wang was arrested in New Jersey, while Kejia Wang remains free, a DOJ spokesperson said.

The two men, along with four other unnamed US “facilitators,” assisted the North Koreans by procuring and operating laptops used by the overseas workers, created financial accounts to receive money earned by the workers to be sent back to North Korea, and created shell companies to make the workers appear more authentic, according to the DOJ, earning nearly $700,000 from the scheme for themselves.

Federal prosecutors also indicted six Chinese nationals and two Taiwanese nationals for alleged roles in the operation. (A.J. Vicens / Reuters)

Related: Justice Department, Microsoft, SC Media, Dark Reading, Mashable India, New York Daily News, Infosecurity Magazine, CBS News, NextGov, The Record, Fortune, MeriTalk, South China Morning Post, CyberScoop

A politically motivated hacker known on Substack and X as Crémieux, which is the social media alias of Jordan Lasker, a promoter of white supremacist views, admitted he stole a 1.6-gigabyte volume of data from Columbia University, representing 2.5 million applications dating back decades.

A Columbia official said “initial indications” show that data was stolen, though the school hasn’t yet determined the scope of the theft. Doing so could take weeks to months, the official said, adding that the university will then decide who needs to be notified.

The university recovered most of its systems quickly and engaged the cybersecurity firm CrowdStrike Holdings, the official said.

Lasker said they sought to acquire information about university applications that would suggest a continuation of affirmative action policies in Columbia’s admissions following a 2023 Supreme Court decision that effectively barred the practice. The Columbia official said the school’s admissions processes are compliant with the Supreme Court decision.

The New York Times attracted criticism from the journalism community and created a controversy by moving forward to publish an article on Zohran Mamdani, the New York mayoral candidate, that relied on documents stolen by Lasker, which he provided to the publication to "smear" Mamdani.

In a college application to Columbia, Mamdani had checked boxes indicating that he was both “Asian” and “Black or African American.” Mamdani, who is of Indian descent, was born in Uganda and lived in South Africa before moving to the United States when he was seven years old.

As initially published, the article indicated that the hacked materials had been provided under the condition of anonymity. However, after it became clear that the white supremacist Lasker was the source, the paper updated its article to note that Crémieux “writes often about IQ and race," softpedaling his racist motivation. (Cameron Fozi / Bloomberg and Liam Scott / Columbia Journalism Review)

Related: Semafor, New York Times, The Record, Associated Press, Columbia Daily Spectator, CBS News, BankInfoSecurity, New York Times, NBC New York

According to emails and confidential audit reports, an information-sharing system used by EU border forces to flag illegal immigrants and suspected criminals in real time, called the Schengen Information System II was rife with software and security vulnerabilities.

The system had thousands of cybersecurity issues that the European Data Protection Supervisor, an EU auditor, deemed to be of “high” severity in a 2024 report. It also found that an “excessive number” of accounts had administrator-level access to the database, creating “an avoidable weakness that internal attackers could exploit.”

While there is no evidence that any SIS II data was accessed or stolen, a breach “would be catastrophic, potentially affecting millions of people,” said Romain Lanneau, a legal researcher at EU watchdog Statewatch.

The audit determined that SIS II was vulnerable to hackers overwhelming the system, as well as attacks that could enable outsiders to gain unauthorized access, documents show. When EU-Lisa, the agency that oversees large-scale IT projects such as SIS II, reported these issues to Sopra Steria, the Paris-based contractor responsible for developing and maintaining the system, the company took between eight months and more than five-and-a-half years to fix the problems, according to the report and emails between EU employees and Sopra Steria.

Under the terms of its contract with EU-Lisa, Sopra Steria was obliged to fix “critical and high” software vulnerabilities within two months of a patch being released, emails and two audit reports show. (Olivia Solon and Tomas Statius / Bloomberg)

Related: Mezha, Heise Online

Researchers at SentinelOne say that North Korean state-backed hackers have been using a new family of macOS malware called NimDoor in a campaign that targets web3 and cryptocurrency organizations.

They discovered that the attacker relied on unusual techniques and a previously unseen signal-based persistence mechanism.

The attack chain, which involves contacting victims via Telegram and luring them into running a fake Zoom SDK update, delivered via Calendly and email, resembles the one Huntress managed security platform recently linked to BlueNoroff.

 SentinelOne says that the threat actor used C++ and Nim-compiled binaries (collectively tracked as NimDoor ) on macOS, which "is a more unusual choice." The NimDoor framework and the rest of the backdoors SentinelLABS analyzed are some of the most complex macOS malware families linked to North Korean threat actors. (Bill Toulas / Bleeping Computer)

Related: SentinelOne, Security Week, HackRead, 9to5Mac, Cointelegraph, GBHackers, The Block, CSO Online

Researchers at Okta report that hackers are using a popular generative AI development tool to build phishing sites mimicking login pages in as little as 30 seconds.

Okta revealed that threat actors have been abusing Vercel's v0 to generate a fake Okta sign-in page with at least one of the cloned phishing pages, a replica of Okta's own login portal.

Okta doesn't have any evidence yet that hackers successfully harvested credentials through these sites.

But in the weeks that Okta spent investigating the one instance of a phishing site targeting one of its customers, researchers observed threat actors had used v0 to spin up new sites targeting other tech platforms.

Vercel has since removed access to the identified phishing sites and is collaborating with Okta to develop mechanisms for third-party reporting of abuse on the v0 platform. (Sam Sabin / Axios)

Related: Okta, Tech Radar, Tech Republic, Payments Journal

France's cybersecurity agency, ANSSI, the Agence Nationale de la Sécurité des Systèmes d’Information, reported that a range of government, utility, and private sector entities in the country were impacted by a hacking campaign last year exploiting multiple zero-day vulnerabilities in an Ivanti appliance.

The campaign, which had prompted a warning in September by US cybersecurity authorities, targeted the Ivanti Cloud Service Appliance, software that connects on-premise networks with cloud-based services.

In France, ANSSI targeted the hacking campaign targeted “organizations from governmental, telecommunications, media, finance, and transport sectors,” exploiting bugs tracked as CVE-2024-8190, CVE-2024-8963, and CVE-2024-9380.

The intrusion set is being tracked under the codename Houken by ANSSI. The agency’s report said it suspects the Houken intrusion set “is operated by the same threat actor as the intrusion set previously described by Mandiant as UNC5174.”

According to ANSSI, the hackers behind the Houken campaign showed a primary interest in breaking into systems so they could subsequently sell access to those systems to state-linked intelligence agencies. (Alexander Martin / The Record)

Related: ANSSI, Infosecurity Magazine, Dark Reading, Hack Read

Researchers at Cisco Talos say hackers are impersonating Microsoft, PayPal, Docusign, and other familiar brands in callback phishing scams aimed at stealing confidential information or delivering malware.

These attacks trade the use of typical fake websites or links used in traditional phishing campaigns for a vector in which the victim calls the attacker on the phone themselves, believing they must handle a critical transaction.

The researchers observed a surge in what they call telephone-oriented attack delivery (TOAD) campaigns in recent months that use advanced social engineering in an effort to fool victims. These tactics often include the use of PDFs or other messages that appear trusted and urgent to end users, aimed at persuading them to call adversary-controlled phone numbers.

Using direct voice communications instead of Web interaction to scam victims gives attackers a significant advantage in a phishing scenario, according to Cisco Talos. This type of communication exploits the victim's trust in phone calls and the perception that phone communication is a secure way to interact with an organization, according to the report. (Elizabeth Montalbano / Dark Reading)

Related: Cisco Talos, Forbes, NK Pro, CoinCentral, PYMNTS, SC Media, IT Pro

The Hunters International Ransomware-as-a-Service (RaaS) operation announced today that it has officially closed down its operations and will offer free decryptors to help victims recover their data without paying a ransom.

"After careful consideration and in light of recent developments, we have decided to close the Hunters International project. This decision was not made lightly, and we recognize the impact it has on the organizations we have interacted with," the cybercrime gang says in a statement published on its dark web leak site.

"As a gesture of goodwill and to assist those affected by our previous activities, we are offering free decryption software to all companies that have been impacted by our ransomware. Our goal is to ensure that you can recover your encrypted data without the burden of paying ransoms."

The threat actors also removed all entries from the extortion portal and added that companies whose systems were encrypted in Hunters International ransomware attacks could request decryption tools and recovery guidance on the gang's official website.

While the ransomware group doesn't explain what "recent developments" it refers to, today's announcement follows a November 17 statement saying that Hunters International will soon shut down because of increased law enforcement scrutiny and declining profitability. (Sergiu Gatlan / Bleeping Computer)

Related: HackRead, Infosecurity Magazine, Security Affairs

The HHS Centers for Medicare and Medicaid Services (CMS) was recently alerted that Medicare.gov accounts had been created in approximately 103,000 individuals’ names without their knowledge, with a currently unknown threat actor using personal information obtained from unknown external sources to create the accounts fraudulently.

The CMS said its Medicare call center started receiving calls on May 2, 2025, from beneficiaries who had been sent a letter confirming that an account had been created in their name when they had not personally made the account.

An investigation was launched, which revealed malicious actors had fraudulently created Medicare.gov accounts for approximately 103,000 beneficiaries using valid beneficiary information such as their Medicare beneficiary identifier (MBI), coverage start date, birth date, and zip code. The accounts were fraudulently created between 2023 and 2025, and the information used to make the accounts was likely obtained in a third-party data breach.

Once the accounts were created, the threat actor could access further information, including mailing addresses, diagnosis codes, provider information, dates of service, services received, and premium plan details. The CMS’s investigation has not uncovered any misuse of that information to date, but as a precaution, the affected beneficiaries have been issued a new MBI, and the CMS has deactivated the fraudulently created accounts. (Steve Alder / The HIPAA Journal)

Related: HealthExec, SC Media, McKnight's Senior Living, Fierce Healthcare, Healthcare Finance News, Kiplinger, Newsweek, USA Today

According to a report in The Information, TikTok is building a new version of its app for users in the United States ahead of a planned sale of the app to a group of investors.

This development comes as Donald Trump said he will start talking to China this week about a possible TikTok deal.

According to the report, TikTok users will eventually have to download the new app to be able to continue using the service, although the existing app will work until March of next year, though the timeline could change. (Mrinmay Dey / Reuters)

Related: The Information

A systems breach at Louis Vuitton Korea in June led to the leak of some of customer data including contact information, but did not involve customers' financial information.

"We regret to inform that an unauthorized third party temporarily accessed our system resulting in the leak of some customer information," the unit said in a statement.

The South Korean units of two other labels, Christian Dior Couture and Tiffany, under the world's largest luxury group, have been under government investigations since May for customer data leaks they reported earlier in the year. (Jack Kim / Reuters)

Related: Bloomberg, IANS

South Korean authorities ordered SK Telecom to strengthen data security and imposed a fine after the country's biggest mobile carrier was hit by a cyberattack that caused the leak of 26.96 million pieces of user data.

The measures come after SK Telecom in April disclosed that it had suffered a major leak of customer data caused by a malware attack.  "SK Telecom failed to fulfill its duty of care to protect USIM data and did not comply with relevant regulations," the Ministry of Science and ICT said in a statement.

Separately, SK Telecom is waiving cancellation fees for customers who want to leave its network after South Korean authorities said the carrier should scrap the penalties following a major data breach.

The company expects to pay 500 billion won ($367 million) in compensation to customers over the breach and 700 billion won to boost customer security, it said in a regulatory filing.

Meanwhile, SK Telecom users are flocking to rival carriers LG Uplus Corp. and KT Corp., according to data from the Korea Telecommunications Operators Association.

Finally, Citi has downgraded SK Telecom from Neutral to Sell and lowered its price target to KRW48,000.00 (around $35.13) from KRW58,000.00 (around $42.44).

The downgrade follows what Citi describes as "stricter-than-expected" government orders imposed on SK Telecom after a recent data breach incident. (Heekyong Yang, Joyce Lee and Ju-min Park / Reuters, Yoolim Lee / Bloomberg and Investing.com)

Related: The Fast Mode, Chosun, Korea Herald, Tip Ranks

The US Securities and Exchange Commission has reached a deal in principle with SolarWinds Corp and its chief information security officer, Tim Brown, to end litigation tied to a Russia-linked cyberattack involving the software firm.

The SEC, SolarWinds, and Brown asked a federal judge to stay court proceedings while they finalize paperwork for a settlement. The judge granted their motion. (Chris Prentice and A.J. Vicens / Reuters)

Related: Hunton, CRN, Bloomberg Law

The US Secret Service's Global Investigative Operations Center or GIOC, a team specializing in digital financial crimes, has recovered nearly $400 million over the last decade in scam cryptocurrency investments.

Much of that trove sits in a single cold-storage wallet that now ranks among the most valuable anywhere. After leading crackdowns on digital currencies such as Liberty Reserve and E-Gold in the 1990s, the agency best known for protecting US presidents has become one of the world’s biggest crypto custodians.

At the center of the operation is Kali Smith, a lawyer who directs the Secret Service’s cryptocurrency strategy.

Her team has conducted workshops in more than 60 countries to train local law enforcers and prosecutors in unmasking digital crimes. The agency targets jurisdictions where criminals exploit weak oversight or residency-for-sale programs and provides the training for free.

To claw back stolen funds, the Secret Service leans on industry partners. Coinbase and Tether have publicly acknowledged assisting in recent cases, providing trace analysis and wallet freezes. One of the most significant recoveries involved $225 million in USDT, the dollar-pegged token known as Tether, linked to romance-investment scams. (Myles Miller / Bloomberg)

Related: PYMNTS.com, Cryptopolitan, crypto.news, The Block, Bitcoin Insider, Cointelegraph, DL News, BeInCrypto, The Crypto Times

The European Commission is working to send support to help Moldova fend off Russian cybersecurity threats to its September parliamentary election through a cyber reserve of experts from the private sector that can be called on by the EU and allied countries.

The cyber reserve isn't supposed to be officially rolled out until December, but Brussels is accelerating the process to help Chișinău. If deployed, its Moldova mission would be the first-ever use of the cyber reserve mechanism — underscoring how seriously the bloc takes risks to democratic processes on its eastern flank.

EU officials warn that a large-scale cyberattack in the region could have spillover effects, threatening not just national security but also regional stability. (Antoaneta Roussi and Sam Clark / Politico)

Cloudflare has switched to blocking AI crawlers by default for its customers and is moving forward with a Pay Per Crawl program that lets customers charge AI companies to scrape their websites.

Even if websites can handle the heightened activity involved with web crawlers, many do not want AI crawlers scraping their content, especially news publications that are demanding AI companies to pay to use their work.

Cloudflare says over 1 million customer websites have activated its older AI-bot-blocking tools. Now, millions more will have the option of keeping bot blocking as their default.

Cloudflare also says it can identify even “shadow” scrapers that AI companies do not publicize. (Katie Knibbs / Wired)

Related: Cloudflare, ZDNet, Reuters, MIT Tech Review, The Register

AT&T is launching a new Account Lock feature designed to protect wireless users against SIM swapping attacks and prevent unauthorized changes to users' accounts, like phone number transfers, SIM card changes, and updates to billing information.

Other carriers, including T-Mobile, Verizon, and Google Fi, already have similar features to prevent this type of fraud. AT&T began gradually rolling out Account Lock earlier this year.

The new Account Lock feature also blocks device upgrades, along with changes to authorized users and phone numbers. (Emma Roth / The Verge)

Related: AT&T, ZDNET, Android Police, BleepingComputer, CyberScoop, Phone Scoop, Slashdot

Kelly & Associates Insurance Group (dba Kelly Benefits) is informing more than half a million people of a data breach that compromised their personal information.

The Maryland-based health and life insurance agency has issued an update on a security incident it suffered last year between December 12-17, when unauthorized actors breached its IT systems and stole files.

On April 9, 2025, the company stated that the incident impacted 32,234 individuals. The figure was revised multiple times until the final tally shared with authorities in the US counted 553,660 individuals. (Bill Toulas / Bleeping Computer)

Related: Office of the Maine Attorney General, Security Affairs, Security Week, Tech Radar, SC Media, Tom's Guide

Managed cybersecurity company LevelBlue announced that it has signed a deal to acquire managed detection and response company Trustwave Holdings for an undisclosed price.

The deal involves LevelBlue, the company formerly known as AT&T Cybersecurity, acquiring Trustwave from MC² Security Fund, an affiliate of investment firm The Chertoff Group LLC. The MC² Security Fund had acquired Trustwave from Singapore telecommunications giant Singtel Holdings Ltd. in January 2024, and SingTel had owned Trustwave after acquiring it for $810 million in 2015. (Duncan Riley / Silicon Angle)

Related: LevelBlue, Security Week, SC Media, IT Pro, Channel Futures, GovConWire, MSSP Alert, Dark Reading, BankInfoSecurity, CRN

Best Thing of the Day: South Korea Celebrating Ethical Hackers

South Korea’s Ministry of Science and ICT, the Maekyung Media Group, and the Codegate Security Forum will be hosting the world’s elite white hat hackers for Codegate 2025 in Seoul from July 10 to 11.

Bonus Best Thing of the Day: Finding Money Behind GitHub's Couch Cushions

Security researcher Sharon Brizinov scanned GitHub's logged commits, even those that developers tried to delete, uncovered secrets worth $25k in bug bounties and along with Truffle Security is offering a new scanning tools so other organizations can scan their own hidden commits.

Worst Thing of the Day: Time to Wipe Your Devices and Fill Them With Images of Bald Baby JD Vance

United States Customs and Border Protection (CBP) is asking tech companies to pitch digital forensics tools that are designed to process and analyze text messages, pictures, videos, and contacts from seized phones, laptops, and other devices at the United States border.

Bonus Worst Thing of the Day: No Need for Tanks When a Poisoned Pen Will Work

Vladimir Putin is bombarding European voters with manipulative social media and disinformation campaigns on a mass scale, mounting a new type of warfare on democracy.

Closing Thought