Ingram Micro Ransomware Attack and the Rise of Linux SSH Server Compromises

Mon Jul 07 2025

In this episode of Cybersecurity Today, host David Shipley discusses the recent Safe Play ransomware attack on technology distributor Ingram Micro, exploring its impact and ongoing recovery efforts. The script also examines a new campaign targeting...

Summary

Cybersecurity Today: Ingram Micro Ransomware Attack and the Rise of Linux SSH Server Compromises

Host: David Shipley (sitting in for Jim Love)
Release Date: July 7, 2025

1. Ingram Micro Ransomware Attack

Overview of the Attack

On July 7, 2025, Cybersecurity Today delves into a significant ransomware incident involving Ingram Micro, one of the world's largest technology distributors. The attack, attributed to the SafePlay ransomware group, has had widespread implications for the global technology supply chain.

Details and Impact

Ingram Micro reported that the ransomware attack occurred late the previous week, severely disrupting their operations. As of Sunday afternoon following the attack, the company's website remained inaccessible, redirecting visitors to information regarding the cybersecurity incident. Ingram Micro promptly responded by securing affected environments, taking certain systems offline, and implementing additional mitigation strategies. They have also initiated an investigation with top-tier cybersecurity experts and notified law enforcement agencies.

Ransomware Note and Intruder Claims

A ransomware note released by SafePlay, as reported by Bleeping Computer, indicated that the attackers exploited several security oversights by Ingram Micro. The note stated:

"We exploited a number of mistakes Ingram made in setting up the security of your corporate network, so we were able to spend quite a long time in IT and compromise you."
(Timestamp: 05:45)

The attackers claim access to sensitive data, including financial statements, intellectual property, accounting records, legal documents, personal and customer files, bank details, and transaction information. Notably, the group emphasized that their motives were purely financial rather than political, although these assertions remain unverified.

Economic and Operational Significance

Ingram Micro, boasting over $47.98 billion in revenue for 2024, recently rejoined the Fortune 500 list in June. The company's role as a backbone distributor to value-added resellers and managed service providers (MSPs) makes the ransomware attack comparable to the infamous Colonial Pipeline incident in its potential to disrupt global technology markets. MSPs relying on Ingram Micro for services like Microsoft 365 licenses, Dropbox licenses, and hardware purchases have reported difficulties in managing customer needs, highlighting the extensive reach and potential fallout of the breach.

Industry Implications

David Shipley remarks:

"The Ingram Micro attack is the technology sector equivalent of the Colonial Pipeline incident. A prolonged outage could have massive impacts across nearly 90% of the global technology marketplace."
(Timestamp: 14:30)

With Ingram Micro managing over 50 million seats in cloud services, the attack's ramifications could be far-reaching, potentially leading to major disruptions throughout the technology supply chain.

2. Rise of Linux SSH Server Compromises

Emerging Threat Landscape

The episode shifts focus to a burgeoning trend in cyberattacks targeting Linux SSH servers. Attackers are increasingly compromising these servers to establish proxy networks, enhancing their operational infrastructure for various malicious activities.

Attack Mechanism and Tools

According to the onlab Security Emergency Response Center (ASEC), threat actors exploit Linux systems with weak or default SSH credentials. Once access is obtained, they deploy proxy tools such as TinyProxy and SingBox to create scalable, anonymized networks. These tools, while legitimate for content routing and bypassing geo-restrictions, are repurposed here for illicit use.

Shipley explains:

"Instead of deploying traditional malware, attackers use lightweight bash scripts to install and configure proxy services, maintaining a stealthy presence on compromised servers."
(Timestamp: 22:10)

The scripts modify the TinyProxy configuration to allow unrestricted access, effectively enabling anyone on the internet to route traffic through the compromised server via port 8888. A variant of this campaign utilizes SingBox, supporting advanced protocols like VMessargo and VLASS, further obscuring malicious activities.

Implications for Organizations

This shift signifies a move from destructive payloads to persistent network resources, allowing attackers to maintain long-term access without detection. Security experts advise organizations with Linux-based infrastructure to enforce strong SSH authentication, preferably using SSH keys, conduct regular audits for unauthorized proxy services, and monitor outbound traffic for signs of misuse.

Preventative Measures Highlighted

Shipley advises:

"For organizations running Linux systems exposed via SSH, it's crucial to enforce strong authentication, audit for unauthorized proxies, and monitor outbound traffic to detect any signs of proxy misuse."
(Timestamp: 27:50)

This approach underscores the importance of proactive security measures in mitigating the evolving tactics of cybercriminals.

3. Surge in Clickfix Social Engineering Attacks

ESET's Threat Report Insights

The discussion transitions to social engineering attacks, specifically the 500% increase in clickfix attacks reported by cybersecurity firm ESET in the first half of 2025. These attacks have surged to become the second most common method after traditional phishing.

Mechanism and Impact of Clickfix Attacks

Clickfix attacks involve deceiving victims into executing malicious commands by mimicking legitimate error messages or validation systems like Cloudflare or CAPTCHA. These attacks are sophisticated, affecting all major operating systems, including Windows, Linux, and macOS. The deceptive prompts trick users into pasting and executing harmful code, which can deploy various threats such as ransomware, remote access trojans (RATs), and crypto miners.

Shipley elaborates:

"Clickfix techniques are versatile, deploying infostealers, ransomware, RATs, crypto miners, and even custom malware from nation-state allied threat actors."
(Timestamp: 33:20)

ESET's Positive Findings Amid Chaos

Despite the rise in attack methods and the proliferation of ransomware gangs, ESET's report offers a silver lining: global ransomware is descending into chaos. Internal conflicts among major gangs and successful law enforcement actions have disrupted operations, leading to a decrease in ransom payments despite the increase in attacks.

Industry Response and Recommendations

The report emphasizes the need for continued vigilance and adaptive security strategies to counteract the evolving threat landscape presented by clickfix attacks.

4. Former Ransomware Negotiator Under Investigation

Investigation Details

In a notable development, a former ransomware negotiator from Digital Mint, a Chicago-based incident response and digital asset services company, is under investigation by the U.S. Department of Justice (DOJ). The suspect is accused of collaborating with ransomware gangs to profit from extortion payments, allegedly receiving a cut from ransom demands facilitated through the company.

Ethical Concerns in Ransom Negotiation

Shipley comments on the ethical complexities within the ransom negotiation industry:

"Ransom negotiation as an industry has always been ethically challenging. Instances like this investigation highlight the potential for abuse when negotiators exploit their positions for personal gain."
(Timestamp: 40:15)

The suspect's alleged actions undermine the integrity of legitimate negotiation services, raising concerns about trust and accountability in the field.

Impact on the Cybersecurity Community

The investigation shines a light on the murky intersections between cybersecurity services and criminal enterprises, emphasizing the need for stringent oversight and ethical standards in ransomware negotiations.

5. Conclusion and Final Thoughts

David Shipley wraps up the episode by emphasizing the critical need for robust cybersecurity measures in light of the discussed threats. He urges listeners to remain vigilant, stay updated with security patches, and consider implementing comprehensive breach tabletop exercises to prepare for potential incidents.

"Stay skeptical and stay patched. Yesterday was a good day to start doing fourth-party breach tabletop exercises."
(Timestamp: 46:50)

Shipley also invites listeners to engage with the show by sharing their opinions via email or YouTube comments, reinforcing the community-driven aspect of cybersecurity awareness.

Contact Information:
For feedback and comments, listeners are encouraged to reach out at us@EditorialEchnewsDayCA or leave comments under the episode's YouTube video.

Host: David Shipley (sitting in for Jim Love)
Podcast: Cybersecurity Today
Episode: Ingram Micro Ransomware Attack and the Rise of Linux SSH Server Compromises

This summary encapsulates the key discussions and insights from the July 7, 2025 episode of Cybersecurity Today, providing listeners with a comprehensive overview of the latest cybersecurity threats and industry developments.

Transcript

David Shipley (0:01)

Ingram Micro has been hit with the safeplay ransomware Criminals are ramping up efforts to compromise Linux SSH servers to build proxy networks. Clickfix social engineering attack up 500% and a former ransomware negotiator is under criminal investigation for working with gangs to profit off of extortion payments. This is Cybersecurity Today and I'm your host, David Shipley. Let's get started. Ingram Micro, one of the largest technology distributors on the planet, said Saturday it was hit with a ransomware attack late last week. The publicly traded California firm was still dealing with the impact from the incident as of Sunday afternoon, with its website still down and redirecting to more information on the cybersecurity incident. In a release on Business Wire, the company said it recently discovered ransomware on some of its internal systems. The firm said it took steps to secure the relevant environment and proactively took some systems offline, as well as implementing other mitigating measures. Ingram Micro says it has launched an investigation with the assistance of leading cybersecurity experts and has notified law enforcement. It said it was working hard to restore affected systems and to resume processing and shipping orders. Bleeping computer posted the Safeplay ransomware note allegedly tied to the incident in it SafePay claims it exploited, quote, a number of mistakes, end quote Ingram made in, quote, setting up the security of your corporate network, so we were able to spend quite a long time in IT and compromise you, end quote. The safeplay note claims the intruders access sensitive and confidential information, including documents pertaining to financial statements, intellectual property, accounting records, lawsuits and complaints, personal and customer files, bank details, transactions and more. Interestingly, the group seemed to go out of its way to note the attack was purely financially motivated and not political. None of these claims have been independently verified. Ingram Micro had more than $47.98 billion in revenue in 2024, making it one of the most valuable U.S. technology companies. The ransomware attack comes on the heels of the firm returning to the Fortune 500 in June. Founded 46 years ago, Ingram Micro is a backbone distributor to value added resellers, managed service providers and more. Managed service providers who spoke to the Register reported being unable to manage customers. Microsoft 365 licenses, Dropbox licenses, hardware purchases and more hitting Ingram Micro is the technology sector equivalent of the Colonial Pipeline attack. A prolonged outage could have massive impacts across nearly 90% of the global technology marketplace. Ingram Micro also resells Microsoft's Office and Azure cloud offerings with some posters on Reddit's MSP thread on the weekend warning folks to revoke Ingram Micro accounts. As of Sunday, there was no evidence that Ingram Micro's incident had spread to others. However, the company's sheer reach would make any such event larger than anything we've ever seen. According to a recent Media article, Ingram manages more than 50 million seats in cloud services. We may all want to be grateful that this increasingly appears to be a vanilla cybercrime extortion attempt and not a nation state run, because had it been, things could have been far worse. If this outage takes the typical several weeks to several months to fully resolve the risks of major disruptions throughout, a broad swath of the technology supply chain will grow. A new campaign is targeting misconfigured Linux servers, with attackers deploying legitimate proxy software to covertly build network infrastructure for criminal use. This matches a trend we've been following since the start of the year, with criminal groups building new infrastructure leveraging proxies around the world. According to the onlab Security Emergency Response center or asec, threat actors are scanning for Linux systems with weak or default SSH credentials. Once access is gained, the attackers install Proxy tools, specifically TinyProxy and SingBox, to create scalable, anonymized networks. These tools are typically used for legitimate purposes such as content routing or bypassing geo restrictions, but in this case they're being repurposed for malicious activity. Unlike traditional malware campaigns that aim to exfiltrate data or encrypt files, this operation is focused on maintaining a stealth presence. No additional malware is deployed. Instead, the attackers use lightweight bash scripts that detect the server's operating system and use standard Linux package managers APT, YUM and or DNF to install TinyProxy. Once installed, the script modifies the configuration file located at etc. Tinyproxy tinyproxy conf. It removes any restrictive access controls and replaces them with a universal rule allow 0.0.0.00. This opens the proxy to all incoming connections, effectively allowing anyone on the Internet to route traffic through the compromised server via port 8.8.8.8. A second variant of the campaign uses Singbox, a multipurpose proxy that supports advanced protocols like VMessargo, VLAS, Reality Hysteria 2 and 2 UIC V5. These protocols are often used in circumvention tools, but here they appear to be facilitating anonymization for broader criminal infrastructure. Installation is carried out using scripts hosted on GitHub, pointing to a structured and potentially large scale operation. Comments found in the script are written in Polish, which may indicate the regional origin of the attacks or at least provide a linguistic clue. However, attribution remains unclear. Security researchers suggest the infrastructure is being monetized through proxy as a service offerings or leveraged to obscure the source of further malicious activity. For organizations running Linux based infrastructure, especially systems exposed to the Internet via ssh, security teams are advised to enforce strong authentication, ideally using SSH keys and not just passwords, audit for unauthorized proxy services, and monitor outbound traffic for signs of proxy misuse. This campaign highlights a shift in tactics from delivering destructive payloads to quietly establishing a persistent network resource that can be used in ongoing or future cyber operations. It's particularly relevant given the decline in the ability of criminals to use traditional bulletproof hosting services. Cybersecurity firm ESET says click fix attacks are up 500% in the first half of 2025, coming second only to traditional phishing as the most common attack method. The findings come in the latest ESET threat report, which summarizes threat data captured by its security tools. Quick fix attacks display a fake error that manipulates the victim into copying, pasting and executing malicious commands on their devices. The attack vector affects all major operating systems including Windows, Linux and macOS. It often mimics common human validation systems like Cloudflare or CAPTCHA services that are commonly deployed to distinguish human and bot traffic. The click fix technique is used to deploy infostealers, ransomware, remote access trojans, crypto miners, post exploitation tools, and even custom malware from nation state aligned threat actors, ESET says In the same report, ESET also gave some good news. In it, it said that global ransomware continues to descend into chaos, with fights between major gangs impacting several players, including the leading ransomware as a service ransom hub. While ransomware attacks and the number of gangs are up compared to 2024, payments are down. It's unclear why, but the report suggests that the combination of successful global law enforcement actions last year against a number of gangs and an increase in exit scams that's where gangs bail on their affiliates without paying them contributed to the growing chaos. Speaking of the ransomware industry and chaos, here's another interesting wrinkle. An ex ransomware negotiator is under criminal investigation by the U.S. department of justice for allegedly working with the ransomware gangs to profit from extortion payments. The suspect is a former employee of Digital Mint, a Chicago based incident response and digital asset services company that specializes in ransomware negotiation and facilitating cryptocurrency payments to receive a decryptor or prevent stolen data from being publicly released. The company claims to have conducted over 2,000 ransomware negotiations since 2017. Bloomberg first reported last week that the DOJ is investigating whether the suspect was working with ransomware gangs to negotiate payments, then allegedly receiving a cut of the ransom that was charged to the customer. The DOJ refused to comment when Bloomberg contacted them last week. From my perspective, ransom negotiation as an industry was always ethically challenging. Some ransomware operators such as Gancab and Reevil, even created special discount codes and chat interfaces specifically designed for these type of firms to receive a discount on the ransom demand. Some vendors in the ransomware negotiation space have been critical of others who don't use a fixed fee structure, with those that don't use that fixed fee structure often lending themselves to potential abuse. As always, stay skeptical and stay patched and yesterday was a good day to start doing fourth party breach Tabletops. We're always interested in your opinion and you can contact us@EditorialEchnewsDay CA or leave a comment under the YouTube video. I've been your host David Shipley, sitting in for Jim Love, who will be back on Wednesday. Thanks for listening.