Minnesota's Walz mobilizes National Guard to help with St. Paul cyberattack
Tea suspends direct messaging and gets hit with class actions over breach, CISA to release Wyden-demanded report to unblock Plankey nomination, Google has not received UK backdoor demand, Orange breach triggers minor disruptions, Palo Alto to buy CyberArk for $25m, much more
A Special Request
Metacurity has been a labor of love for years, and I’m so grateful for your readership. Your support can help ensure I can continue delivering the carefully curated weekly long-reads and daily digests of the most critical developments in cybersecurity.
If you find value in what Metacurity offers, please consider upgrading to a paid subscription. We also provide corporate subscription options, and soon we’ll be introducing affordable sponsorship opportunities—perfect for promoting your events or products to a highly engaged audience.
To learn more, feel free to reach out at cynthia@metacurity.com.
Thank you so much for being part of the Metacurity community.
If you can't commit to a subscription, please consider donating what you can afford to help keep Metacurity free to all.
Gov. Tim Walz of Minnesota activated the state National Guard to help officials in St. Paul, the capital, respond to a complex cyberattack that was first detected on Friday.
Mayor Melvin Carter of St. Paul said the city had shut down the bulk of its computer systems as a defensive measure as state and federal investigators tackled what he called “a deliberate, coordinated digital attack, carried out by a sophisticated external actor.”
Carter said that the FBI and several state agencies were helping assess who was behind the attack. He declined to say whether ransom had been demanded or whether there was any evidence suggesting a foreign government was behind the attack.
City officials said they have yet to ascertain whether sensitive data had been stolen.
Emergency services, including police response systems, were not crippled by the attack, the city said. The shutdown meant that city employees did not have access to the internet in municipal buildings, and that routine services such as library loans and online payment systems were inaccessible. (Ernesto Londoño / New York Times)
Related: State of Minnesota, BleepingComputer, Minneapolis Star Tribune, Saint Paul, USA Today, KARE-TV, Newser, Cyber Daily, The Cyber Express, Reuters, KFGO, The Boston Globe, CBS News, GovTech, The Record, StateScoop, FOX 9 Minneapolis-St. Paul, MPR News, DataBreaches.Net, NewsNation, Rolling Out
The women-only US dating advice app Tea suspended direct messaging following a series of security breaches that exposed its users' personal details and sensitive communications that were first reported by 404 Media.
In a series of posts to TikTok, Tea Dating Advice said it had taken messaging offline "out of an abundance of caution" after discovering the breach.
Women on Tea are encouraged to share details about prospective dates, create alerts against men's names, and put red flags against men who are alleged to be unscrupulous and green flags against those who are not. "Everything is anonymous," the app promises users on sign-up. Reuters could not establish why the selfies and ID card data had lingered online.
Following the breach revelations, several class action lawsuits were filed against Tea.
One plaintiff, California resident Griselda Reyes, “seeks to hold the Defendant responsible for the harms it caused and will continue to cause” her and “thousands of other similarly situated persons in the massive and preventable cyberattack,” the lawsuit reads. (Raphael Satter / Reuters and Joseph Cox / 404 Media)
Related: BBC News, Mobile App Daily, Associated Press, CNET, Business Insider, Business Journals
The Cybersecurity and Infrastructure Security Agency plans to release a 2022 report on telecommunications industry security vulnerabilities that Sen. Ron Wyden (D-OR), a privacy hawk and a senior member on the Senate Intelligence Committee, said he would use as leverage to block Sean Plankey's nomination to lead the cyberdefense agency.
Plankey is scheduled to be voted on in the Senate Homeland Security Committee on Wednesday, and would face a hold invoked by Wyden on the full Senate floor unless the report is released.
Wyden has previously said that he “repeatedly urged” the cybersecurity agency to release the findings and even asked then-CISA Director Jen Easterly about it in a February 27, 2024, phone call.
The senator added that the report’s contents have been viewed by his staff and that it contains information that Americans have the right to see.
“CISA intends to release the US Telecommunications Insecurity Report (2022), that was developed but never released under the Biden administration in 2022, with proper clearance,” CISA public affairs director Marci McCarthy said. (David DiMolfetta / NextGov/FCW)
Related: Cyberscoop, Sen. Ron Wyden, The Register
In a new letter sent to top US intelligence official Tulsi Gabbard, Sen. Ron Wyden (D-OR), who serves on the Senate Intelligence Committee, said that while tech companies cannot tell if they have received a UK order to build a secret encryption backdoor, at least one technology giant has confirmed that it hasn’t received one.
Google refused to answer the lawmaker’s questions but has since told TechCrunch that the technology giant has not received a backdoor demand, marking the first time that Google has confirmed it is not subject to a similar UK order.
Meta, which uses end-to-end encryption to protect user messages sent between WhatsApp and Facebook Messenger, told Wyden’s office on March 17 that the company has “not received an order to backdoor our encrypted services, like that reported about Apple.”
Google, for its part, would not tell Wyden’s office if it had received a UK government order for accessing encrypted data, such as Android backups, “only stating that if it had received a technical capabilities notice, it would be prohibited from disclosing that fact,” said Wyden. (Zack Whittaker / TechCrunch)
Related: The Record, WebProNews, Washington Post, Computing UK, Computer Weekly
French telecommunications company Orange, one of the world's largest telecom operators, revealed that it detected a breached system on its network on Friday.
The compromised system was discovered and isolated from the rest of the network by Orange Cyberdefense, the company's cybersecurity business unit, on July 25. This has led to some operational disruptions, primarily affecting French customers, which are expected to be gradually resolved by Wednesday morning, July 30.
"On Friday, July 25, the Orange Group detected a cyberattack on one of its information systems. Immediately alerted, with the support of Orange Cyberdefense, the teams mobilized fully to isolate the potentially affected services and limit the impact," the telecom giant said.
"However, these isolation operations resulted in the disruption of certain services and management platforms for some of our business customers and for a few consumer services, mainly in France."
Since detecting this cyberattack, the company has alerted the relevant authorities and filed a complaint. Also, its investigation team has yet to find evidence that any data was stolen during the breach. (Sergiu Gatlan / Bleeping Computer)
Related: Orange, TechCrunch, The Record, Capacity Media, GBHackers, Security Affairs, Tech Radar, The Cyber Express, CISO Series
Palo Alto Networks agreed to buy CyberArk Software in a cash-and-stock deal valuing the Israeli cybersecurity company at about $25 billion.
Palo Alto will pay CyberArk investors $45 per share and 2.2005 shares of Palo Alto stock, according to a statement on Wednesday. The companies said the value implies a 26% premium to CyberArk shares on a volume-weighted average over 10 days before the Wall Street Journal reported on the acquisition talks. The transaction is expected to close during the second half of Palo Alto Networks’ fiscal 2026.
Palo Alto Networks has been on an acquisition hunt, vying to build up a bigger company that can handle a client’s full range of security needs to fight threats from artificial intelligence better. But it has never done a deal as big as CyberArk.
“This is precisely why industry must change the paradigm, shifting away from today’s fragmented security landscape and towards consolidation,” Chief Executive Nikesh Arora said in May.
Shares of CyberArk jumped more than 13% Tuesday following The Wall Street Journal’s report on the pending deal. Palo Alto Networks shares fell 5%, bringing its market value down to just below $130 billion. (Liana Baker and Jake Bleiberg / Bloomberg and Lauren Thomas / Wall Street Journal)
Related: PR Newswire, CyberArk, CNBC, CTech, CRN, BankInfoSecurity, Investor's Business Daily, Reuters, Investopedia, Bloomberg, SiliconANGLE, The Information, iTnews, Barron's Online, Proactive, Benzinga, Motley Fool, Yahoo Finance
According to multiple former officials, April Falcon Doss, the top lawyer for the National Security Agency, was removed from her job on Friday, after conservative activists, including far-right fringe figure Laura Loomer, criticized her.
She had been appointed to the general counsel post in April 2022, during the Biden administration.
On July 23, the Daily Wire, a conservative website, wrote about Ms. Doss and her former work for the Senate Intelligence Committee’s Democratic staff. Later that day, Laura Loomer, a far-right conspiracy theorist, amplified a social media post critical of Ms. Doss that cited the Daily Wire article.
In a text message on Tuesday, Ms. Loomer said that she had “reposted a tweet that exposed her last week and flagged it for the right people.”
Ms. Doss worked at the agency before becoming general counsel and has extensive experience in cybersecurity law, including writing a 2020 book, “Cyber Privacy: Who Has Your Data and Why You Should Care.” (Julian E. Barnes and Robert Draper / New York Times)
Related: NextGov/FCW, The Daily Beast
The US Justice Department announced it is seeking to claim $2,400,000 in stolen crypto and filed a civil complaint in the Northern District of Texas seeking the forfeiture of over $1.7 million worth of cryptocurrency seized by the Dallas FBI in mid-April 2025.
The Justice Department said the seized cryptocurrency, now valued at over $2.4 million, allegedly constitutes property involved in unlawful activity, or proceeds of or property derived from unlawful activity, including money laundering and extortion related to damage to a protected computer, commonly referred to as a ransomware attack.
Earlier this year, Executive Director of the Presidential Council of Advisors on Digital Assets Bo Hines said the US government was looking at various ways to accumulate more BTC. (The Daily Hodl)
Related: Justice Department, AInvest, Bitcoin.com, Crypto News Australia, Live Bitcoin News, Tom's Hardware
Samourai Wallet co-founders Keonne Rodriguez and William Lonergan Hill have said that they now wish to plead guilty to charges stemming from their involvement in the crypto mixing protocol.
Separate filings on behalf of Rodriguez and Hill were made in a New York federal court on Tuesday, which said the duo would change their pleas before the court on Wednesday morning.
The pair pleaded not guilty to charges in April 2024 for running what prosecutors alleged to be an unlicensed money-transmitting business that processed over $2 billion worth of unlawful transactions, including some tied to illicit online marketplaces like Silk Road. (Brayden Lindrea / Cointelegraph)
Related: CoinDesk, CryptoRank, The Block, The Daily Hodl
The elite bug-hunters at Google Project Zero are taking aim at how long it takes to fix cybersecurity vulnerabilities by publicly announcing bugs within a week of reporting them privately to vendors.
Previously, the team of security researchers followed the 90+30 timetable, where vendors were told about a bug and given 90 days to fix it. Then, 30 days after that patch was shipped, the full technical details about the bug were published.
This timetable is still going to be used but now within one week of reporting a bug the team will also publicly share that a vulnerability had been discovered to alert other companies that might be affected.
The point is to address something a bit more complicated than the traditional “patch gap” in the field of cybersecurity, which is the time elapsed between a fix for a vulnerability being released and a user installing the actual update — a period in which users are considered to be exposed to greater threat as attackers know about the flaw.
“Our work has highlighted a critical, earlier delay: the 'upstream patch gap,'” wrote Tim Willis, the team lead at Project Zero. “This is the period where an upstream vendor has a fix available, but downstream dependents, who are ultimately responsible for shipping fixes to users, haven’t yet integrated it into their end product.”
The aim is that by “providing an early signal that a vulnerability has been reported upstream, we can better inform downstream dependents,” wrote Willis, who said Project Zero hoped the move would help improve communication between upstream vendors and downstream dependents. (Alexander Martin / The Record)
Related: Google Project Zero, PC Mag
The Australian Cyber Security Centre (ACSC), the Federal Bureau of Investigation, Canadian Centre for Cyber Security, Royal Canadian Mounted Police, and the Australian Federal Police and National Cyber Security Centre, released an updated joint Cybersecurity Advisory on Scattered Spider warning that threat group Scattered Spider has added new ransomware and improved social engineering techniques to its arsenal.
As part of the new TTPs, Scattered Spider now deploys DragonForce ransomware in its attacks, the agencies said in their advisory.
The ransomware is now often used after the group has already stolen data for extortion purposes, after which Scattered Spider communicates with targeted organisations through The Onion Router (TOR) network, email, or encrypted applications.
Data exfiltration to multiple sites, including Mega.nz and US-based data centres such as Amazon S3, has also been observed.
The criminals have enhanced their social engineering, now posing as employees to convince an organisation’s information technology helpdesk to reset passwords and transfer multi-factor authentication (MFA) tokens to a device they control.
They have also adopted new legitimate remote access tools like AnyDesk and Teleport.sh to blend in with normal network traffic and evade detection.
Meanwhile, a Java-based remote access trojan called RattyRAT has also been added to their toolkit for maintaining persistent, stealth access.
The advisory said Scattered Spider targets organisations' Snowflake data cloud access to allow them to exfiltrate large volumes of data with thousands of queries in a short time. (Juha Saarinen / IT News)
Related: Cyber.gov.au, CISA
On June 22, attackers targeted the National Treasury of South Africa, one of at least half a dozen organizations in the country to reportedly run afoul of sustained n-day attacks on the collection of four related vulnerabilities in Microsoft's SharePoint information-sharing and collaboration software known as ToolShell.
South African organizations attacked using the flaws included victims in "the car-manufacturing industry, a university, several local-government entities, and a federal government entity." At the same time, other breaches occurred in the African island nation of Mauritius and Jordan in the Middle East.
The attacks likely affected organizations across the continent because ToolShell attackers seem to be opportunistic and targeting any Internet-exposed SharePoint server, says Martin Zugec, technical solutions director at Bitdefender.
"Cyberattackers are not primarily targeting Africa due to specific industries or geographies, but rather because they are opportunistically scanning the entire Internet for vulnerable, exposed services," he says. "Africa's rapidly expanding digital infrastructure, coupled with a cybersecurity landscape that is still maturing, presents a growing number of Internet-exposed targets." (Robert Lemos / Dark Reading)
Related: Business Insider Africa, Business Tech
A cybersecurity attack displaying explicit, racist, and antisemitic images derailed the second meeting of Mississippi’s Opioid Settlement Fund Advisory Council, which had been scheduled to begin the process of allocating the state’s opioid settlement dollars.
The attack further delays the process of using the money to address addiction.
Unlike the council’s first meeting three weeks earlier, Mississippi Attorney General Lynn Fitch’s office hosted the second exclusively over a Zoom video call. Public participants were not required to sign in to the meeting before joining.
About 10 minutes into the meeting, as meeting host and Fitch special assistant Caleb Pracht asked for approval of the last gathering’s minutes, a Zoom participant noticed that Pracht’s screen was partially blacked out. As Pracht tried to fix the screen, an unidentified voice interrupted the meeting and said, “Yep, that is really good to hear because…”
At that point, distorted music started playing, and an unidentified guest took control of the host screen. The screen featured a man in a sexually explicit pose, a swastika, a symbol for the Ku Klux Klan, a Confederate flag background, and a banner over the screen said “HACKED BY NUENZE.” Three other guest participants who signed in as “Robert Cage,” “Chelsea M Adams” and “Vince Garcia” had similar images as their icons.
The chaos lasted about 20 seconds until the Attorney General’s office ended the meeting. Pracht tried to move the meeting over to a conference call a few minutes later, but Fitch’s Chief of Staff Michelle Williams said that meeting was also hacked. Pracht sent out an email at 1:25 p.m. that the meeting would be rescheduled as soon as possible. (Allen Siegler / Mississippi Today)
Related: Daily Journal
Russian President Vladimir Putin is closer than ever to getting the internet he wants after the Kremlin announced it had chosen VK Co., a government-controlled social networking company, to be Russia’s national messaging service called Max, a sprawling app billed as a way for users to communicate, manage their finances, access government services and even skip the lines at music festivals.
On July 16, Putin also ordered the government to develop new restrictions on software and communication services from countries it considers unfriendly. Two days later, Anton Gorelkin, first deputy chairman of the State Duma’s IT committee, said Meta Platforms Inc.’s WhatsApp, the most popular online destination in Russia, is “very likely” to be among the targets.
Because the Kremlin controls VK through Gazprom PJSC, the state-owned energy giant, and other shareholders affiliated with the government, the Max app will give it substantial power over all aspects of Russians’ online activities, says Irina Borogan, a senior fellow at the Center for European Policy Analysis.
Max lacks end-to-end encryption, a method of preventing third parties from accessing data moving between two devices, which makes it an easy target for the authorities to monitor, according to the digital advocacy group Roskomsvoboda. (Bloomberg Businessweek)
Related: NDTV, The Times, The Independent, Firstpost
ABC listen
YouTube announced it’s beginning to roll out age-estimation technology in the US to identify teen users to provide a more age-appropriate experience.
The company says it will use a variety of signals to determine the users’ possible age, regardless of what the user entered as their birthday when they signed up for an account.
When YouTube identifies a user as a teen, it introduces new protections and experiences, which include disabling personalized advertising, safeguards that limit repetitive viewing of certain types of content, and enabling digital well-being tools such as screen time and bedtime reminders, among others.
These protections already exist on YouTube, but have only been applied to those who verified themselves as teens, not those who may have withheld their real age. (Sarah Perez / TechCrunch)
Related: YouTube Official Blog, Engadget, Bloomberg, Android Authority, Gizmodo, Politico, Tubefilter, Dexerto, The Verge, Social Media Today, CBS News, Cord Cutters News, Android Police, Neowin, Android Headlines, WeRSM
Prime Minister Anthony Albanese announced the Australian government will add YouTube to sites covered by its world-first ban on social media for teenagers, reversing an earlier decision to exempt the Alphabet-owned video-sharing site and potentially setting up a legal challenge.
The decision came after eSafety Commissioner, the country's internet regulator, urged the government last month to overturn the YouTube carve-out, citing a survey that found 37% of minors reported harmful content on the site, the worst showing for a social media platform.
The decision broadens the ban set to take effect in December. YouTube says it is used by nearly three-quarters of Australians aged 13 to 15, and should not be classified as social media because its main activity is hosting videos.
"Our position remains clear: YouTube is a video sharing platform with a library of free, high-quality content, increasingly viewed on TV screens. It's not social media," a YouTube spokesperson said. (Renju Jose and Byron Kaye / Reuters)
Related: BBC News, The Guardian, ABC News, Wall Street Journal, France24, DW, The Economic Times, WebProNews, TechSpot, Australian Financial Review, The Independent, B&T, Bloomberg, Mumbrella, Capital Brief, Anthony Albanese, Tubefilter, ABC, Biometric Update
Apple released iOS 18.6, iPadOS 18.6, macOS Sequoia 15.6, watchOS 11.6, tvOS 18.6, and visionOS 2.6, fixing an issue with sharing movies from the Photos app but mostly patching a long list of security vulnerabilities.
For iOS and iPadOS users in the EU, the updates also include a mechanism for installing alternate app stores and for installing apps directly from websites under the EU's Digital Markets Act.
Many of the security fixes are also available for older operating systems that Apple is still maintaining, mostly for people who can't update their devices to the latest versions. The iPadOS 17.7.9 update covers several tablets that were dropped by iPadOS 18, and macOS Ventura 13.7.7 and macOS Sonoma 14.7.7 will cover fading Intel Macs that were dropped by newer releases.
All of these operating systems will be superseded in the fall by new releases, unified under version number 26. The first public betas of iOS 26, iPadOS 26, macOS 26, and other updates were released last week. (Andrew Cunningham / Ars Technica)
Related: Security Week, 9to5Mac, Appleosophy, PPC Land, The Apple Post, WebProNews, Apple Insider
The Open Worldwide Application Security Project (OWASP) has published new practical guidance for securing agentic AI applications powered by large language models (LLMs).
The comprehensive guidance, published on July 28, focuses on concrete technical recommendations for builders and developers of AI agents, including AI/ML engineers, software developers, security professionals, and AppSec pros.
“As AI systems evolve toward more autonomous, tool-using, and multi-agent architectures, new security challenges emerge that traditional AppSec can’t handle alone. That’s why the OWASP Gen AI Security Project has published the Securing Agentic Applications Guide v1.0, the most comprehensive and actionable open source security resource yet for Agentic AI developers and defenders,” OWASP wrote on a LinkedIn post.
The new resource has been developed in response to surging use of AI agents in organizations. (James Coker / Infosecurity Magazine)
Related: OWASP
Ballistic Ventures, the venture capital firm dedicated exclusively to funding and incubating entrepreneurs and innovations in cybersecurity, announced that General Timothy D. Haugh (US Air Force, Ret.), former Director of the National Security Agency and Commander of US Cyber Command, has joined the firm as Strategic Advisor.
In his new advisory role at Ballistic, Gen. Haugh will focus on mentoring the firm’s portfolio founders, sharing his expertise in leadership and what it takes to lead effectively in high-stakes, fast-moving environments. He will also support the firm in identifying and backing the next generation of mission-oriented cyber entrepreneurs. (Ballistic Ventures)
Related: Barmak Meftah on LinkedIn
Best Thing of the Day: Take That, You Small School System BEC Scammers
Seminole County Schools in Florida somehow managed to reclaim $1.3 million that BEC scammers stole from it in December 2023.
Bonus Best Thing of the Day: You Gotta Do What You Gotta Do
According to Commvault, while 96% of UK business leaders support banning ransomware payments, 75% would still pay if it meant saving their organization, despite potential legal consequences.
Worst Thing of the Day: That Sick Feeling After You Hit Send
Dozens and perhaps hundreds of individuals who applied to visit inmates at Everglades Correctional Institution (ECI) in Miami-Dade County last weekend had their personal contact information shared with every inmate at that facility after an employee forwarded an email to all inmates that presumably inadvertently contained the information.
