CyberWire Daily – Episode: "SafePay, Unsafe Day"
Release Date: July 7, 2025
Host: Dave Buettner
Guest: Rob Allen, Chief Product Officer at ThreatLocker
Produced by N2K Networks
Introduction
In the July 7, 2025, episode of CyberWire Daily titled "SafePay, Unsafe Day," host Dave Buettner delivers a comprehensive briefing on the latest cybersecurity incidents, remediation efforts, and emerging threats. The episode also features an insightful interview with Rob Allen from ThreatLocker, focusing on mitigating security fatigue through the implementation of default deny policies.
Major Cyber Incidents
1. Ingram Micro Ransomware Attack by SafePay Gang
Last Thursday, Ingram Micro, a major global IT distributor, fell victim to a ransomware attack orchestrated by the SafePay gang. The attack has led to an ongoing outage of Ingram Micro's website and ordering systems. Employees discovered ransom notes on their devices, although it remains unclear whether any files were encrypted.
Details:
- Breach Vector: Global Protect VPN platform.
- Impacted Services: AI-powered Xvantage distribution platform and Impulse license provisioning.
- Operational Status: Microsoft 365 Teams and SharePoint remain functional.
- Attack Timeline:
- Initial Response: Ingram Micro initially cited only IT issues without disclosing the ransomware incident.
- Confirmation: On Sunday, Ingram Micro confirmed the ransomware attack, stating it is collaborating with cybersecurity experts to investigate and restore systems.
- SafePay Gang: Active since November 2024 with over 220 victims, utilizing VPN breaches and password spraying as primary attack vectors.
Notable Quote:
“Initially, Ingram Micro did not disclose the attack, citing only IT issues.”
(Dave Buettner, 00:14)
2. Dismantling of a Large Investment Fraud Ring by Spanish Police
Spanish authorities executed coordinated raids across Barcelona, Madrid, Mallorca, and Alicante, dismantling a significant investment fraud ring responsible for over $11.8 million in damages. A total of 21 suspects were arrested, and authorities seized seven luxury cars and more than $1.5 million in cryptocurrency.
Operation Highlights:
- Operational Period: Began in 2022.
- Modus Operandi: Offered fake investment opportunities in CR, crypto tech stocks, and gold through manipulated websites and call centers posing as professional advisors.
- Victim Impact: Initially saw fake profits and facilitated small withdrawals before enticing victims to transfer larger sums through blocked withdrawals and fictitious processing fees.
- Evasion Tactics: Call centers had panic buttons to erase data during raids.
- Related Cases: Follows a recent takedown of a $540 million crypto scam in Spain.
Notable Quote:
“Victims saw fake profits and could make small withdrawals initially before losing larger sums to blocked withdrawals and fake processing fees.”
(Dave Buettner, 02:30)
3. Shutdown of Satan Lock Ransomware Group
The Satan Lock ransomware group announced its shutdown, planning to leak all stolen victim data on the day of the announcement. Active since April 2025, Satan Lock had 67 listed victims, with over 65% already featured on other ransomware leak sites, indicating shared infrastructure with groups like Babak Bjorka and GD Locker Sec. The sudden closure remains unexplained.
Notable Quote:
“Satan Lock's sudden closure remains unexplained.”
(Dave Buettner, 05:20)
4. Brazilian Police Arrest Over $100 Million Bank Heist
Brazilian authorities arrested Yao Rocha, an IT employee at software firm CNM, for his role in a cyberattack that stole over $100 million from the nation's banking system. The attack exploited CNM's connection to Brazil’s instant payment platform Pix, used by over 76% of the population.
Attack Details:
- Method: Social engineering to breach CNM's systems.
- Target: Financial institutions rather than individual clients.
- Financial Impact: Losses from a single bank reached $100 million.
- Broader Implications: Brazil’s central bank suspended parts of CNM's operations post-breach.
- Suspects: Police believe at least four other individuals were involved.
Notable Quote:
“The fraud occurred overnight via fake PIX transactions.”
(Dave Buettner, 06:45)
5. Qantas Customer Data Breach and Potential Cybercriminal Contact
Qantas confirmed receiving contact from a potential cybercriminal following a recent customer data breach that occurred on June 30. The breach compromised personal information of up to 6 million customers, including names, emails, phone numbers, dates of birth, and frequent flyer numbers. No financial data was affected.
Response Actions:
- Investigation: Involvement of the Australian Federal Police.
- Customer Notification: Customers were informed via email and warned about potential phishing attempts.
- Security Measures: Qantas affirmed that their systems remain secure and have not detected further threat activity.
Notable Quote:
“Customers were notified by email and warned to watch for phishing attempts.”
(Dave Buettner, 08:10)
6. Arbor Associates Healthcare Data Breach
Arbor Associates, a company processing data for healthcare providers, reported a breach detected on April 17, compromising patient data such as names, contact details, birth dates, service dates, CPT and diagnosis codes, medical record numbers, and insurance provider names. The number of affected individuals and specific attack details remain undisclosed.
Response Measures:
- Support: Arbor has established a helpline for affected patients.
- Preventive Advice: Encourages monitoring of credit reports for suspicious activity.
Notable Quote:
“Arbor has set up a helpline and urges patients to review statements for errors and monitor credit reports for suspicious activity.”
(Dave Buettner, 09:50)
Emerging Cyber Threats and Trends
1. Evolution of Exworm Remote Access Trojan (RAT)
The Exworm RAT has advanced with sophisticated stagers and loaders to evade detection, now targeting software supply chains and the gaming sector. Recent campaigns involve pairing Exworm with Asyncrat for initial access and deploying ransomware crafted from the leaked Lockbit Black builder.
Technical Advancements:
- Infection Chain: Utilizes multiple file types and scripting languages delivered via phishing emails that mimic legitimate invoices and shipping notices.
- Evasion Techniques: Employs base64 encoding, AES encryption, and tampering with Windows security features like AMSI and ETW.
- Propagation Methods: Spreads through removable media, utilizes persistence mechanisms, and disables Microsoft Defender, making it a persistent threat globally.
Notable Quote:
“Exworm's infection chain is highly dynamic, using multiple file types and scripting languages delivered via phishing emails.”
(Dave Buettner, 11:30)
2. Surge in Fraudulent Domains Ahead of Amazon Prime Day
With Amazon Prime Day approaching, cybercriminals are intensifying phishing attacks targeting shoppers. Check Point Security researchers report that over 1,000 Amazon-like domains were registered in June alone, with 87% flagged as malicious.
Tactics Employed:
- Spoofed Websites: Mimicking Amazon’s checkout pages to trick users into entering login credentials.
- Phishing Emails: Claiming refund errors to lure recipients into clicking malicious links.
Preventive Measures: Increased vigilance and skepticism towards unsolicited emails and unfamiliar websites can prevent identity theft, unauthorized purchases, and stolen gift card balances.
Notable Quote:
“Many use Amazon prime in their names to trick users into entering login credentials on fake sites.”
(Dave Buettner, 12:45)
Legal Actions in Cybersecurity
Apple Sues Former Engineer for Data Theft
Apple has filed a lawsuit against former senior product design engineer Dee Liu, accusing him of stealing confidential data related to its Vision Pro headset and sharing it with Snap, his current employer. Liu, who worked at Apple for seven years, allegedly transferred proprietary Vision Pro design hardware, testing, and unreleased capability files to his personal cloud storage before resigning.
Allegations:
- Misrepresentation: Liu misled Apple about his departure, citing family reasons instead of joining Snap to avoid offboarding protocols.
- Evidence Destruction: Forensic analysis revealed Liu deleted evidence from his MacBook to conceal data transfers.
Apple's Claims:
- Demands: Immediate return of trade secrets, financial damages, and access to Liu's devices and cloud accounts.
- Snap’s Response: Snap has denied any involvement in Liu’s actions.
Notable Quote:
“Apple is seeking the immediate return of its trade secrets, financial damages and access to Lou's devices and cloud accounts.”
(Dave Buettner, 14:20)
Interview with Rob Allen: Combating Security Fatigue through Default Deny
The episode features an in-depth conversation with Rob Allen, Chief Product Officer at ThreatLocker, exploring the concept of security fatigue and how default deny policies can serve as an effective countermeasure.
Understanding Security Fatigue
Security fatigue, often referred to as alert fatigue, describes the desensitization that security teams experience due to the overwhelming number of security alerts. This can lead to genuine threats being overlooked or ignored.
Key Insights:
- Dave Buettner's Example:
“If you have something that's popping off alerts left, right and center... when something is actually happening, you're probably going to either be too busy chasing other things or think it's not actually going to be what I think it is.”
(Dave Buettner, 13:58)
Default Deny Policy Explained
Instead of the traditional approach of "allowing everything unless known bad," ThreatLocker advocates for a "deny by default" strategy. This means all activities are blocked unless explicitly permitted, significantly reducing the number of false positives and unknown threats that security teams need to manage.
Notable Quote:
“Allow everything except what's not to be bad... deny everything unless it's explicitly allowed.”
(Dave Buettner, 16:33)
Practical Implementation and Benefits
Implementing default deny involves establishing strict guardrails and permit-by-exception policies. Most users utilize standard applications daily, which can be whitelisted to avoid hindrance. ThreatLocker provides mechanisms for users to request exceptions with pertinent information about the software, promoting informed decision-making and reducing risky behavior.
Key Points:
- User Experience:
“Permit by exception is what's going to allow you to continue to do business... if you operate within these guardrails, which 99% of users are going to do, we're not going to get in your way.”
(Dave Buettner, 20:21)
Impact on Alert Fatigue
By enforcing default deny, the number of security alerts decreases dramatically as unauthorized actions are blocked at the source. This reduction in noise allows security teams to focus on genuine threats, enhancing operational efficiency and effectiveness.
Notable Quote:
“We've got Threat Locker running and secured, their EDR suddenly has very little to do because nothing is being allowed to run that shouldn't be allowed to run.”
(Dave Buettner, 21:46)
Complementary Role of Detection Tools
While default deny serves as a strong preventive measure, detection tools remain essential for an additional layer of security. A balanced security stack integrates proactive protection with reactive detection to identify and respond to potential threats effectively.
Notable Quote:
“A well balanced security stack should combine proactive protection... and also reactive detection... Ideally, you want to know about a potential cyber attack that is trying to get underway and is failing to do so because of the controls.”
(Dave Buettner, 26:57)
Educational Initiatives
ThreatLocker emphasizes the importance of education in their strategy. They offer webinars and resources to guide organizations in securing their environments and fostering a proactive security culture.
Notable Quote:
“We see education as a very large part of what we do... here's how you can make your environment unfriendly and difficult for an attacker to operate in.”
(Dave Buettner, 27:03)
Additional Highlights
AI Image Editing Incident in Maine
In Maine, the Westbrook Police Department attempted to enhance a drug bust photo by adding its badge using ChatGPT’s image generator. The AI altered the photo incorrectly, removing some drugs from the evidence image and adding garbled text and an eerie gloss. This mishap led to public confusion and prompted the department to delete the altered image and issue an apology, initially blaming a Photoshop app, though local station WGME revealed it was ChatGPT’s image generator.
Lesson Learned:
Caution is necessary when employing AI tools for sensitive operations to avoid unintended alterations and misinformation.
Notable Quote:
“The AI even removed some drugs from the evidence photo.”
(Dave Buettner, 29:28)
Conclusion
The "SafePay, Unsafe Day" episode of CyberWire Daily underscores the critical importance of proactive cybersecurity measures and the evolving landscape of cyber threats. Through the discussion with Rob Allen, listeners gain valuable insights into combating security fatigue and enhancing their security posture with default deny policies. The episode also highlights significant cyber incidents and legal actions, emphasizing the need for robust security frameworks in today’s digital environment.
Get Involved
Listeners are encouraged to engage with CyberWire Daily through their website and participate in the annual audience survey to provide valuable feedback for future episodes.
Produced by:
Alice Carruth – Senior Producer
Liz Stokes – CyberWire Producer
Elliott Peltzman & Trey Hester – Mixers
Jennifer Ibin – Executive Producer
Peter Kilby – Publisher
Dave Buettner – Host
Sponsors:
- ThreatLocker: threatlocker.com
- Krogle: krogle.com
For more details on today's stories, visit thecyberwire.com.
