Ingram Micro cyberattack, Telefonica possible breach, LLM URL recommendation problem - Cybersecurity Headlines

Summary5 min read

Cyber Security Headlines - Episode Summary

Host: Steve Prentiss
Podcast: CISO Series - Cyber Security Headlines
Release Date: July 7, 2025

1. Ingram Micro Suffers Major Ransomware Attack

Timestamp: [00:00]

In this episode, Steve Prentiss delves into the recent ransomware attack on Ingram Micro, one of the world's leading distributors of IT and cloud technologies. The attack, which occurred on July 3, rendered Ingram Micro incapable of managing Microsoft 365 and Dropbox licenses.

Steve highlights the culpability claimed by the ransomware group Safepay. According to security firm Forger, Safepay is recognized as the most active ransomware crew globally. Notably, in May, Safepay not only encrypted company files but also criticized Ingram Micro for "mistakes made in setting up its corporate network," specifically pointing out network misconfigurations that facilitated the attack. Steve summarizes the group's taunt:

"So treat this situation as a paid training session for your system administrators." (00:45)

Further investigation revealed that Safepay may have infiltrated Ingram’s systems through its global ProtectVPN platform. However, Steve emphasizes that the situation is still evolving, and many details remain unverified.

2. Telefonica Experiences Separate Data Breach

Timestamp: [03:15]

Steve transitions to discuss the alarming data breach at Spanish telecom giant Telefonica. The incident, which took place on May 30, appears distinct from a prior breach in January. This latest breach allowed hackers uninterrupted access to data exfiltration for approximately 12 hours.

The breach is attributed to a member of the Hellcat ransomware group—the same group responsible for the January incident. The attack vector involved exploiting a misconfiguration in Telefonica's internal JIRA development and ticketing server. Steve notes:

"This May 30th attack also appears to have been made through a new JIRA misconfiguration." (05:10)

As with the Ingram Micro incident, details remain sparse as Telefonica has maintained a tight-lipped stance. Meanwhile, the hacker has been actively posting sample data, purportedly distinguishing it from the January breach. Steve underscores the developing nature of this story, indicating that more information may surface as investigations continue.

3. LLMs Like ChatGPT Pose New Phishing Risks

Timestamp: [07:30]

A significant portion of the episode is dedicated to the emerging threat associated with Large Language Models (LLMs) such as ChatGPT. Researchers at Netcraft have uncovered that these models are prone to recommending incorrect URLs, inadvertently creating new phishing opportunities.

When users inquire, for example, "Can you help me find the official website to log into my account at [Brand]?", the AI successfully provides the correct web address only 66% of the time. Shockingly, 29% of the URLs direct users to dead or suspended sites, and an additional 5% lead to legitimate sites but not the intended ones. Steve elucidates the potential danger:

"Phishers could ask for a URL, and if the top result is a site that is unregistered, they could buy it and set up a phishing site." (10:05)

The Netcraft team emphasizes that since LLMs prioritize word associations over site reputations or security evaluations, they inadvertently assist malicious actors in crafting more convincing phishing schemes.

4. Night Eagle APT Targets Chinese Military and Tech Sectors

Timestamp: [12:20]

Steve introduces the findings of researchers from a Chinese security team, Red Drip, who have identified a new Advanced Persistent Threat (APT) group named Night Eagle. This APT is exploiting Microsoft Exchange servers through a zero-day exploit chain specifically aimed at China's government, defense, and technology sectors.

The moniker "Night Eagle" is derived from the group's swift actions and their tendency to operate under the cover of night in China. Steve mentions:

"The eagle-like swiftness of its actions, such as switching network infrastructures, coupled with striking at night, suggests the threat actor is based in North America." (13:45)

The attack methodology includes the use of a Go-based chisel utility to penetrate the internet, indicating a sophisticated approach to bypassing security measures.

5. Grafana Issues Critical Security Updates

Timestamp: [17:00]

In the realm of software security, Grafana Labs has released critical updates addressing four Chromium vulnerabilities affecting their Image Renderer plugin and Synthetic Monitoring Agent. These issues were initially patched by the open-source Chromium project but necessitated urgent updates from Grafana to their users.

Steve points out that two weeks prior, Grafana received a bug bounty submission from security researcher Alex Chapman, who demonstrated the exploitability of these vulnerabilities within Grafana's components. The recent updates are classified as "Critical Severity" with three CVSS scores of 8.8 and one of 8.1.

"These security problems impact the Grafana image renderer versions prior to 3.12.9 and the Synthetic Monitoring Agent versions before 0.38.3." (18:30)

Users are strongly advised to update their systems promptly to mitigate potential security risks.

6. Taiwan Warns Against Data Risks from Chinese Apps

Timestamp: [20:50]

Concluding the episode, Steve discusses the Taiwanese National Security Bureau's latest warnings regarding several Chinese-developed applications, including RedNote, Weibo, TikTok, WeChat, and Baidu Cloud. These apps have been flagged for posing significant security risks due to their extensive data collection and transfer to China.

The assessment was conducted in collaboration with Taiwan's Ministry of Justice Investigation Bureau and the Criminal Investigation Bureau under the National Police Agency. The evaluation criteria encompassed 15 indicators across five categories: personal data collection, excessive permission usage, data transmission and sharing, system information extraction, and biometric data access.

RedNote was found to violate all 15 indicators, followed by Weibo and TikTok with 13 breaches each. WeChat and Baidu Cloud were cited for infringing 10 and 9 indicators, respectively. The data collection concerns include sensitive information such as facial recognition data, screenshots, clipboard contents, contact lists, and location information. Additionally, all flagged apps were identified for harvesting installed app lists and device parameters. Steve emphasizes the broad implications of these findings for users and organizations relying on these platforms.

Note: This summary excludes advertisements, introductory remarks, and event promotions as per the provided instructions. For more detailed discussions and additional headlines, listeners are encouraged to tune into the full episode available on CISOseries.com.

Loading summary

Transcript1 lines

[00:00]
Steve Prentiss
From the CISO series, it's Cybersecurity Headlines these are the cybersecurity headlines for Monday, July 7, 2025. I'm Steve Prentiss. Ingram Micro suffers ransomware attack One of the world's largest distributors of IT and cloud technologies was attacked on Thursday, July 3, leaving it unable to manage Microsoft 365 and Dropbox licenses. Responsibility for the attack is being claimed by the ransomware group Safepay, which according to security firm Forger, was the most active ransomware crew in the world. In May, in addition to encrypting company files, the group criticized Ingram Micro for mistakes made in setting up its corporate network. Specifically, they said, it was the misconfiguration of your network that allowed our experts to attack you. So treat this situation as a paid training session for your system system administrators, end quote. Sources have told Bleeping Computer that the group may have entered Ingram's systems via its global ProtectVPN platform. However, this is a developing story and much remains unconfirmed. Hacker leaks Telefonica data allegedly from new breach this breach on the Spanish telecom company, which occurred on May 30, appears to be separate from the one the company suffered in January. This one allegedly gave the hacker 12 hours of uninterrupted data exfiltration time. It was, however, conducted by a member of the Hellcat ransomware group, which was responsible for the January breach, which travelled through an internal JIRA development and ticketing server. This May 30th attack also appears to have been made through a new JIRA misconfiguration. However, this too is a developing story, with Telefonica remaining tight lipped while the hacker posts sample data that they claim is new and not from the January attack. ChatGPT prone to recommending wrong URLs, creating a new phishing opportunity Threat Researchers at Netcraft are warning of the propensity of LLMs like ChatGPT to offer the wrong information. When asked questions like can you help me find the official website to log into my account? At suchandsuchabrands, the researchers found that the AI would produce the correct web address just 66% of the time 29% of URLs pointed to dead or suspended sites and a further 5% to legitimate sites but not the ones that users requested. The Netcraft team points out that phishers could ask for a URL, and if the top result is a site that is unregistered, the they could buy it and set up a phishing site. This is because LLMs look for words and associations and do not evaluate a site's reputation or depth. Huge thanks to our sponsor Vanta. Do you know the status of your compliance controls right now? Like right now, we know that real time visibility is critical for security, but when it comes to our GRC programs we rely on point in time checks. But more than 9,000 companies have continuous visibility into their controls with Vanta. Vanta brings automation to evidence collection across over 35 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and help you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get started at vanta.com headlines that is V A N T A dot com headlines Night Eagle Apt exploits Microsoft Exchange to target China's military and tech sectors Researchers from a Chinese security team known as Red Drip are describing the threat actor as targeting Microsoft Exchange servers as a part of a zero day exploit chain designed to target government, defense and technology sectors in China. The APT is named Night Eagle due to the eagle like swiftness of its actions such as switching network infrastructures as well as its propensity for striking at night in China. This latter attribute makes the researchers believe the threat actor is based in North America. The nature of the attack is in using a Go based chisel utility to achieve the Internet penetration function. Grafana releases critical security updates for Image Renderer plugin Grafana Labs has addressed four chromium vulnerabilities in critical security updates for the Grafana Image Renderer plugin and Synthetic monitoring agent, although the issues impact chromium and were fixed by the open source project. Two weeks ago, Grafana received a bug bounty submission from security researcher Alex Chapman proving their exploitability in the Grafana components. The update is being described as a Critical Severity security release with three CVSS scores of 8.8 and one of 8.1. These security problems impact the Grafana image renderer versions prior to 3.12.9 and the Synthetic Monitoring Agent versions before 0.38.3 Taiwan alerts public on data risks from TikTok, Weibo and RedNote Taiwan's National Security Bureau has issued a warning that China developed applications like RedNote, Weibo, TikTok, WeChat and Baidu Cloud pose security risks due to excessive data collection and data transfer to China. This follows an inspection of these apps carried out in coordination with the Ministry of Justice Investigation Bureau and the Criminal Investigation Bureau under the National Police Agency. The agency evaluated the apps against 15 indicators spanning five broad personal data collection, excessive permission usage, data transmission and sharing, system information extraction, and biometric data access. RedNote violated all 15 indicators, followed by Weibo and TikTok that were found to breach 13. WeChat and Baidu Cloud violated 10 and nine of the 15 indicators, respectively. These issues encompassed extensive collection of personal data including facial recognition information, screenshots, clipboard contents, contact lists, and location information. All the apps have also been flagged for harvesting the list of installed apps and device parameters. End Quote Be sure to register to join us for this week's Super Cyber Friday event all about hacking the resilience mindset. We'll be talking about how to get buy in for shifting the overall framing of your security program, both within your security team and within the organization as a whole. This all starts at 1pm this Friday, July 11th. Be sure to register to join us at our events page@cisoseries.com and if you have some thoughts on the news from today or about this show in general, please be sure to reach out to us@feedbacksoseries.com we would love to hear from you. I'm Steve Prentiss reporting for the CISO series. Cybersecurity headlines are available every weekday. Head to CISoseries.com for the full stories behind the headlines.