Podcasts
CyberWire Daily
Ep 2360
The CyberWire Daily Podcast 7.30.25
Ep 2360 | 7.30.25

State of emergency in St Paul.

Show Notes
Transcript

Officials in St. Paul, Minnesota declare a state of emergency following a cyberattack. Hackers disrupt a major French telecom. A power outage causes widespread service disruptions for cloud provider Linode. Researchers reveal a critical authentication bypass flaw in an AI-driven app development platform. A new study shows AI training data is chock full of PII. Fallout continues for the Tea dating safety app. Hackers are actively exploiting a critical SAP NetWeaver vulnerability to deploy malware. CISA and the FBI update their Scattered Spider advisory. A Florida prison exposes personal information of visitors to all of its inmates. Our guest today is Keith Mularski, Chief Global Ambassador at Qintel, retired FBI Special Agent, and co-host of Only Malware in the Building. CISA and Senator Wyden come to terms —mostly— over the long-buried US Telecommunications Insecurity Report. 

Today is Wednesday July 30th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Officials in St. Paul, Minnesota declare a state of emergency following a cyberattack. 

A cyberattack that began Friday has forced the city of St. Paul, Minnesota, to shut down many of its digital systems, prompting Mayor Melvin Carter to declare a state of emergency. Key city services, including online payments and internet access at libraries and City Hall, are offline, though 911 and emergency systems remain operational. Gov. Tim Walz activated the National Guard’s cyber unit to assist, while the FBI leads the investigation. Officials say the attack was deliberate and sophisticated, though no ransom demand has been reported. City employees are urged to change passwords amid concerns about data exposure. The origin and extent of the breach remain unclear, but officials stress that cyberattacks are becoming more frequent and costly, especially for under-resourced local governments.

Hackers disrupt a major French telecom. 

Orange, one of the world’s largest telecom companies, detected a cyberattack on July 25 that disrupted some services in France. Orange Cyberdefense quickly isolated the affected system to limit impact, though this caused temporary outages for business and consumer services. The company has notified authorities and launched an investigation. So far, there’s no evidence customer data was stolen. While no group has been blamed, the incident resembles past telecom breaches linked to China’s Salt Typhoon cyber-espionage group. Services are expected to recover by July 30.

A power outage causes widespread service disruptions for cloud provider Linode. 

A major power outage at Newark’s 165 Halsey Street data center on Sunday caused widespread service disruptions for cloud provider Linode, continuing into Monday and partially Tuesday. The outage impacted nearly all Linode services, including web hosting, storage, and Kubernetes deployments. The root cause was a cooling system failure following the power loss. Other Linode data centers—Dallas, Fremont, Sydney, Tokyo, Toronto, and Washington—also experienced outages due to interdependencies. Services required slow, careful reactivation to avoid hardware damage. Though no full post-mortem has been released, stability returned by Tuesday. Linode, a longtime supporter of open source projects and now owned by Akamai, is considered a pillar in the open source ecosystem. The incident underscores how vital dependable infrastructure providers are for maintaining global digital and open source operations.

Researchers reveal a critical authentication bypass flaw in an AI-driven app development platform. 

Wiz Research revealed a critical authentication bypass flaw in Base44, an AI-driven app development platform with over 20,000 users. The bug stemmed from misconfigured API endpoints, allowing attackers to bypass authentication—including SSO—by exploiting non-secret app_id values. This exposed private enterprise apps handling sensitive data like internal chatbots and PII. Wiz disclosed the issue to Base44 on July 9, and a fix was deployed within 24 hours. Base44 claims there’s no evidence of past exploitation or data compromise.

A new study shows AI training data is chock full of PII. 

A new study reveals that millions of images containing personally identifiable information (PII)—such as passports, credit cards, and résumés—are likely included in the massive AI training dataset DataComp CommonPool. Researchers audited just 0.1% of the dataset and found thousands of sensitive documents, suggesting that hundreds of millions of such images may exist across the full dataset. Despite some privacy safeguards, many faces and PII were missed. CommonPool, built from 2014–2022 web-scraped data, has been downloaded over two million times and underpins many AI models. Critics argue this reveals the flawed assumption that all online data is fair game for training AI. Experts call for stronger privacy standards, clearer consent practices, and policy reform to prevent further misuse of online data in AI development.

Fallout continues for the Tea dating safety app. 

Messaging has been shut down on the women-only dating safety app Tea, as the fallout from its recent cyberattack deepens. The company now confirms that direct messages were accessed in the July breach, adding to the 72,000 leaked images previously disclosed. Some exposed messages reportedly involve sensitive topics like abortion and infidelity. Tea, which helps users screen potential dates, is now offering free identity protection. Users are urged to stay alert as the investigation continues.

Hackers are actively exploiting a critical SAP NetWeaver vulnerability to deploy malware. 

Hackers are actively exploiting a critical SAP NetWeaver vulnerability (CVE-2025-31324) to deploy the advanced Auto-Color Linux malware, with a recent attack targeting a U.S.-based chemical company. First detailed in February, Auto-Color is known for its stealth, persistence, and evasion techniques. The April 2025 attack began with remote code execution that installed a Linux ELF file using the NetWeaver flaw. Auto-Color can execute commands, modify files, establish remote access, and evade detection using rootkit features. Darktrace, which investigated the attack, found that the malware now stalls in sandboxed environments if it can’t reach its command-and-control server—making it harder to analyze. SAP patched the vulnerability in April, but exploitation surged afterward, including by ransomware groups and suspected Chinese state actors. Admins are urged to apply SAP’s security fixes immediately.

CISA and the FBI update their Scattered Spider advisory. 

An updated joint Cybersecurity Advisory from CISA and the FBI warns that the Scattered Spider threat group—also known as Oktapus, Storm-0875, and others—continues targeting large organizations with increasingly advanced tactics. The July 2025 update outlines how the group leverages impersonation, vishing, and malware like RattyRAT and DragonForce ransomware to infiltrate systems, exfiltrate sensitive data, and extort victims. Their operations often start with social engineering and escalate using tools like TeamViewer and RMM software. Once inside, they exploit cloud environments, execute data theft, and encrypt systems. Scattered Spider now prioritizes spearphishing enriched by social media data and uses living-off-the-land tactics to avoid detection. The advisory urges organizations to adopt phishing-resistant MFA, application allowlisting, network segmentation, and continuous monitoring to defend against the group’s evolving techniques, which increasingly threaten critical infrastructure and commercial sectors.

A Florida prison exposes personal information of visitors to all of its inmates. 

A major data breach at Everglades Correctional Institution (ECI) in Miami-Dade County exposed the personal contact information of dozens—possibly hundreds—of prison visitors to all 1,600 inmates. A facility staff member accidentally emailed names, phone numbers, and email addresses of recent visitors, alarming recipients who fear potential harassment or extortion. Many affected individuals are angry that the Florida Department of Corrections has yet to acknowledge or notify them. Advocates blame the incident on the flawed visitation process, which requires visitors to re-submit personal details each time. Critics say this policy, originally implemented during the COVID-19 pandemic, is outdated and risky. Some victims, like those with past stalkers or safety concerns, now fear serious consequences. Advocacy group Florida Cares is urging immediate reform to protect families’ privacy and safety.

 

CISA and Senator Wyden come to terms —mostly— over the long-buried US Telecommunications Insecurity Report. 

After years of bureaucratic dodgeball, CISA now says it plans to release its long-buried US Telecommunications Insecurity Report (2022)—pending, of course, the elusive “proper clearance.” The report, rumored to contain national security facepalms involving U.S. telecoms, has been the obsession of Senator Ron Wyden, who’s turned withholding agency nominations into an art form. His latest target: would-be CISA boss Sean Plankey, whose confirmation remains in limbo until the report goes public.

The Senate unanimously passed a bill demanding CISA release the document within 30 days. Meanwhile, the report details how foreign spies—most notably China’s Salt Typhoon group—waltzed into telecom networks, intercepted messages, tracked Americans, and maybe sent your texts to Beijing.

Wyden calls it a cover-up. CISA calls it “pending review.” Tomato, tomahto.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights until August 31, 2025. There's a link in the show notes.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.