In today’s cybersecurity news…
Oh No! Lenovo
Lenovo has issued urgent firmware updates for several of its all-in-one desktop models to patch a set of high-severity vulnerabilities that could allow attackers to bypass Secure Boot protections. The flaws were discovered in customized InsydeH2O UEFI firmware by security firm Binarly and affect IdeaCentre AIO 3 and Yoga AIO models. Exploiting these bugs could let attackers gain elevated privileges and install stealthy malware at the firmware level.
You sunk my battleship! Or did you?
Hackers calling themselves Neferpitou have leaked 13 gigabytes of internal documents belonging to French submarine manufacturer Naval Group, everything from combat system source code and simulation software to weapons configurations and internal communications. They claim to have up to a terabyte of stolen data, and the leaked materials appear both legitimate and highly sensitive. Naval Group says it has found no evidence of a breach in its internal systems, no confirmed intrusion, no operational disruption. But somehow, its proprietary data is now circulating online. French authorities and cybersecurity experts are investigating, though the company is currently treating the event as a reputational attack rather than a verified compromise. Neferpitou hasn’t explained how they got the data, offered no ransom demand, and issued only a cryptic 72-hour ultimatum followed by the message: “ENJOY AND SEE YOU NEXT TIME.” The data is real, but the path it took to get out is still a mystery.
Russians unable to get a taste of their own medicine!
A cyberattack has crippled major pharmacy chains across Russia, forcing hundreds of stores offline. Stolichki and Neofarm—together operating over 1,100 locations—confirmed service disruptions that impacted payments, prescriptions, and loyalty systems, with some stores shuttered entirely. The chains share ownership ties and may have been jointly targeted, though no group has claimed responsibility. Russia’s internet regulator, Roskomnadzor, ruled out a DDoS attack but offered no further details. The incident follows a wave of cyberattacks on Russian infrastructure, including hits on aviation and liquor distribution systems.
The Guard’s got you covered, don’tcha know
A cyberattack struck St. Paul, Minnesota, on July 25, 2025 disabling city systems and prompting a state of emergency. When the scope outpaced local resources, Governor Tim Walz authorized the deployment of the Minnesota National Guard’s Cyber Protection Team on July 28 to help contain the damage. The Guard is now working with the FBI, state agencies, and private cybersecurity firms to investigate and restore services. Critical systems like 911 remained operational, but public Wi-Fi, payment systems, and online services were taken offline. As of now, no group has claimed responsibility, and officials have not identified the source of the attack.
Huge thanks to our episode sponsor, Dropzone AI
When they go low, we go high
IBM’s annual Cost of a Data Breach Report, released July 30, 2025, reveals a sharp split between global and U.S. trends. Worldwide, the average cost of a data breach fell 9% to $4.44 million—the first drop in five years, thanks largely to faster detection and containment. In contrast, U.S. breach costs climbed nearly 9% to a record $10.22 million, driven by rising regulatory penalties, detection and escalation costs, and increased labor expenses. The report also highlights growing AI-related risks: 13% of breaches involved AI tools or models, and 97% of those lacked proper access controls. Shadow AI alone added an average of $670,000 to breach recovery costs.
In Mumbai cyber losses quadruple
Over the last year and a half, Mumbai has lost over 1,100 crore rupees (approximately 135 million U.S. dollars) to cyber fraud. Most of the losses came from fake trading platforms, crypto scams, and impersonation tactics like “digital arrests,” that’s where victims are threatened with fabricated legal charges and coerced into handing over their savings. Authorities believe the real toll is much higher, as many victims avoid reporting due to fear or shame. In response, India has built a multi-layered support system that includes coordinated fraud response across banks, telecoms, and law enforcement and a 24/7 national helpline. Some cities have created cyber help desks and counseling centers offering legal, technical, and even emotional support.
Another day ending in “y” another day with unsecure “AI”
Google has patched a critical flaw in its new Gemini CLI tool that could have let attackers run hidden commands on users’ machines. Security firm Tracebit discovered the issue just days after launch—attackers could hide malicious shell commands inside context files like README.md, using clever whitespace and prompt injection to sneak past Gemini’s command allow-list. In some cases, the tool would execute harmful commands like data exfiltration without showing them to the user. The vulnerability was reported on June 27 and fixed in version 0.1.14, released July 25. The update now forces full command visibility and recommends running Gemini CLI in a sandbox.
Don’t toy around with security
A flaw in the Lovense adult toy app left millions of users unintentionally exposed. Researchers found that with just a username, attackers could uncover private email addresses—and in some cases, slip inside accounts without permission. The chat-based bug allowed strangers to join in, turning intimate play into public display, and leaking personal details. Lovense patched things up, but experts say the patch is not fully effective and it’s still a little too easy to get in.
(BleepingComputer)