SafePay, unsafe day.

Dave Buettner

You're listening to the Cyberwire network, powered by N2K.

Rob Allen

And now a word from our sponsor, Cloudrange. At Cloudrange, they believe cybersecurity readiness starts with people, not just technology. That's why their proactive simulation based training helps security teams build confidence and skill from day one by turning potential into performance. They empower SOC and incident response teams to respond quickly, smartly and in sync with evolving threats. Learn how Cloudrange is helping organizations stay ahead of Cyber Risks at www.cloudrange.com Ingram Micros suffers a ransomware attack the SafePay gang Spanish police dismantle a large scale investment fraud ring the Satan Lock ransomware group says it's shutting down Brazilian police arrest a man accused of stealing over $100 million from the country's banking system. Qantas confirms contact from a potential cybercriminal following its recent customer data breach. The Exworm rat evolves to better evade detection. Cybercriminals ramp up fraudulent domains ahead of Amazon Prime Day. Apple sues a former engineer allegedly stealing Confidential Our guest is Rob Allen, Chief product officer at ThreatLocker, discussing why default Deny could be the antidote to security fatigue and AI image editing blurs the evidence. It's Monday, July 7th, 2025. I'm Dave Buettner and this is your Cyberwire Intel Brief. Thanks for joining us here today. It's great to have you with us. Ingram Micro, a major global IT distributor, suffered a ransomware attack by the SafePay gang last Thursday, leading to an ongoing outage of its website and ordering systems. Employees discovered ransom notes on their devices, although it's unclear if files were encrypted. Sources say attackers likely breached the company via its Global Protect VPN platform. Impacted services include its AI powered Xvantage distribution platform and Impulse license provisioning, while Microsoft 365 Teams and SharePoint remain operational. Initially, Ingram Micro did not disclose the attack, citing only IT issues. SafePay, active since November 2024 with over 220 victims, uses VPN breaches and password spraying to infiltrate targets. On Sunday, Ingram Micro confirmed the ransomware incident, stating it's working with cybersecurity experts to investigate and restore systems. Spanish police have dismantled a large scale investment fraud ring that caused over $11.8 million in damages in coordinated raids across Barcelona, Madrid, Mallorca and Alicante. 21 suspects were arrested and officers seized seven luxury cars and more than $1.5 million in cash in crypto. The group began operations in 2022, targeting victims nationwide with fake investments in CR, crypto tech stocks and gold via manipulated websites and call centers posing as professional advisors. Victims saw fake profits and could make small withdrawals initially before losing larger sums to blocked withdrawals and fake processing fees. The call centers had panic buttons to erase data during raids. This operation follows recent major fraud takedowns in Spain, including a $540 million crypto scam dismantled last week. The Satan Lock ransomware group announced it's shutting down and plans to leak all stolen victim data today. The group, active since April 2025, posted the news on its Telegram channel and Dark website, which now displays a shutdown notice. Satan lock had listed 67 victims, though over 65% were already on other ransomware leak sites, suggesting shared infrastructure linked to groups like Babak Bjorka and GD Locker Sec. Satan Lock's sudden closure remains unexplained. Brazilian police arrested Yao Rocha, an IT employee at software company CNM, for his role in a cyberattack that stole over $100 million from the country's banking system. Hackers breached CNM, which connects banks to Brazil's instant payment platform Pix, used by over 76% of the population. Roque admitted selling his credentials to hackers who recruited him earlier this year. The attack targeted financial institutions, not individual clients, and losses from just One bank reached $100 million. Police believe at least four others were involved. The fraud occurred overnight via fake PIX transactions. Brazil's central bank suspended parts of CNM's operations. CNM stated the breach was due to social engineering, not system flaws. Qantas has confirmed contact from a potential cybercriminal following its recent customer data breach. The airline is verifying the individual's authenticity and and has involved the Australian Federal Police, but declined to share further details. The breach, contained on June 30, compromised personal data, including names, emails, phone numbers, dates of birth and frequent flyer numbers of potentially up to 6 million customers. No credit card, financial or passport data was affected. Attackers targeted a third party customer service platform via a call center. Qantas has not detected further threat activity and says its systems remain secure. Customers were notified by email and warned to watch for phishing attempts, as Qantas says they'll never request passwords or sensitive login details. Arbor Associates, which processes data for healthcare providers, reported a breach compromising patient data detected on April 17th. The breach occurred between April 15th and 17th. Exposed information includes names, contact details, birth dates, biological sex, service dates, CPT and diagnosis codes, medical record numbers and insurance provider names. The number of affected individuals and Attack details remain undisclosed. Arbor has set up a helpline and urges patients to review statements for errors and monitor credit reports for suspicious activity. The exworm Remote Access Trojan has evolved with advanced stagers and loaders to evade detection. Widely used for key logging, remote desktop access, data theft and command execution, Xworm now targets sectors like software supply chains and gaming. Recent campaigns paired Xworm with Asyncrat for initial access, later deploying ransomware crafted from the leaked Lockbit Black builder. Xworm's infection chain is highly dynamic, using multiple file types and scripting languages delivered via phishing emails, mimicking invoices and shipping notices. It employs base 64 encoding, AES encryption, and tampers with Windows security features like AMSI and ETW to avoid detection. Exworm also spreads via removable media, uses persistence mechanisms and disables Microsoft Defender, making it a persistent threat for security teams worldwide. Ahead of Amazon Prime Day this week, cybercriminals are ramping up phishing attacks targeting shoppers. Researchers at Check Point security say over 1,000Amazon like domains were registered in June alone, with 87% flagged as malicious. Many use Amazon prime in their names to trick users into entering login credentials on fake sites. Common tactics include spoofed websites mimicking Amazon's checkout, and phishing emails claiming refund errors to lure clicks. With these scams rising before Prime Day, extra caution can prevent identity theft, unauthorized purchases and and stolen gift card balances. Apple has filed a lawsuit against former employee Dee Liu for allegedly stealing confidential data related to its Vision Pro headset and sharing it with Snap, his current employer. Liu, who worked at Apple for seven years as a senior product design engineer, reportedly transferred proprietary Vision Pro design hardware, testing and unreleased capability files to his personal cloud storage before resigning. Apple claims Lou misled them about his departure, citing family reasons for leaving instead of joining Snap to avoid offboarding protocols that would cut his access. Forensic analysis revealed he deleted evidence from his MacBook to hide the transfers. Apple is seeking the immediate return of its trade secrets, financial damages and access to Lou's devices and cloud accounts. Snap denied any involvement in Lou's actions. Coming up after the break, my conversation with Rob Allen from Threat Locker. We're discussing why default Deny could be an antidote to security fatigue and AI image editing blurs the evidence. Stay with us. Compliance regulations, third party risk and customer security demands are all growing and changing fast. Is your manual GRC program actually slowing you down? If you're thinking there has to be something more efficient than spreadsheets, screenshots and all those manual processes. You're right. GRC can be so much easier and it can strengthen your security posture while actually driving revenue for your business. You know, one of the things I really like about Vanta is how it takes the heavy lifting out of your GRC program. Their trust management platform automates those key compliance, internal and third party risk, and even customer trust so you're not buried under spreadsheets and endless manual tasks. Vanta really streamlines the way you gather and manage information across your entire business. And this isn't just theoretical. A recent IDC analysis found that compliance teams using Vanta are 129% more productive. That's a pretty impressive number. So what does it mean for you? It means you get back more time and energy to focus on what actually matters, like strengthening your security posture and scaling your business. Vanta GRC Just imagine how much easier trust can be. Visit vanta.com cyber to sign up today for a free demo that's V A n t a dot com cyber CISOs and CIOs know machine identities now outnumber humans by more than 80 to 1. And without securing them trust, uptime outages and compliance are at risk. Cyberark is leading the way with the only unified platform purpose built to secure every machine identity, certificates, secrets and workloads across all environments, all clouds and all AI agents. Designed for scale, automation and quantum readiness, Cyberark helps modern enterprises secure their machine future. Visit cyberark.com machines to see how Rob Allen is Chief product officer at ThreatLocker. And on today's sponsored Industry Voices segment, we discuss why default deny could be the antidote to security fatigue. Rob, let's start with the big picture here. Can you describe to us what we mean when we say security fatigue and how it became such a widespread issue in cybersecurity these days?

Dave Buettner

Well, security fatigue is one way of describing it. I think alert fatigue is probably more appropriate. I think the, the old analogy of the boy who cried wolf is very much relevant in this scenario, which is if you have something that's popping off alerts left, right and center saying there's something happening here and there's something happening there and there's something happening over there and you check them all out and there's nothing happening, you're going to believe it less and less over time. And unfortunately, when something is actually happening, you're probably going to be either too busy chasing other things or as I said, just fatigued and thinking it's not actually going to be what I think it is. I mean, we have a Or I had a really interesting example of this when I was dealing with a, a prospect who was using, let me be diplomatic and say, one of the major ed or tools that are out there. And I asked him how it was, you know, how was this his experience been with it, is it good, is it bad, you know, was it easy to manage, etc. And he said, look, it's really good, but the false positives break my heart. I spent all day, every day chasing false positives. But the interesting thing was we have a, we have a powershell script that we use for demonstrations, which is basically just data exfiltration via PowerShell. So it goes through the user's documents folder and uploads everything it finds to our blob. And when I showed that to him, I said, look, do you mind if I try that on my machine? I said, no, absolutely not. So we tried it in his machine, exfiltrated the data, no problem, and not a peep out of the tool that he was using. So from alerts for everything that was nothing to not alerting on something actually bad happening, I thought that was very instructive.

Rob Allen

Yeah, I can't help thinking that that has to take a toll on people and affect their decision making.

Dave Buettner

Oh, undoubtedly, undoubtedly. As I said, it's basically soul destroying to keep on chasing things that aren't happening or things that aren't serious, or things that you don't need to worry about. The problem is, when there is something you do need to worry about, it is eminently possible it will fall through the cracks.

Rob Allen

Well, I know you and your colleagues promote this notion of default deny. Can you unpack that for us? What does it mean in practical terms?

Dave Buettner

In practical terms, I mean it's incredibly simple if you think about pretty much all cybersecurity. The approach is fundamentally to allow everything except what we know to be bad. And by we, I mean the cybersecurity tool that's in place. So allow everything to run unless it's known malware. Allow everything to happen unless it's known to be malicious. The problem with that fundamentally is that nobody knows everything that's bad. Nobody knows every piece of malware, nobody knows every technique, every tactic, everything that's being used. So what we do and what we espouse is to effectively turn that, allow everything except what's not to be bad in its head and say, deny everything unless it's explicitly allowed. So it's pretty much a full 180 from that traditional approach and it's a really, really effective way of approaching cybersecurity. And it's got so many other knock on benefits in terms of we're working on a little project at the moment, our special projects team, and it's a variation on that Data Exfiltration that I mentioned earlier. So we became aware that one of the EDR vendors now detects data exfiltration via PowerShell as malicious. We did a little tweak to our previous script. So instead of just using PowerShell to upload a load of files, what we're doing now is we download 7zip, use 7zip to encrypt the files, delete the files, and then upload them to our location. Now, that's fundamentally ransomware. That's ransomware attack in one PowerShell script for all intents and purposes. Now, the problem with it is in most environments, PowerShell is pretty much allowed to do whatever the hell it wants. So it can download 7 zip, it can run, can copy data. The really interesting thing about this instance is because it's only uploading one file. That EDR tool that used to work in terms of detecting data exfiltration now does not. Because it obviously has some sort of a limit built into it where it says if it's less than, you know, X number of files, it's not data exfiltration if it's more than X number of files than it is. But it comes back to the idea of making decisions. So that tool is making a decision as to whether or not that behavior is malicious. And obviously in the case of multiple files being exfiltrated, it's deciding that this is malicious. If it's only one file that's being exfiltrated, it's deciding it's not. And it shows the weakness of decisions, whether it be, you know, a human being that's making decisions, or whether it be AI that's making decisions, or whether it be, you know, whatever the case may be. Decisions are dangerous because it only takes one wrong decision for it to be effectively game over.

Rob Allen

Help me understand how Default Deny changes the way that security teams handle unknown or unexpected activity.

Dave Buettner

So the likelihood is in most cases there won't be as much unknown or unexpected activity, because again, fundamentally, everything that shouldn't be allowed or everything that isn't required is going to be blocked. Now, there's a couple of sides to it. There is the what can run and what can't run side. So that, that's very simple. I mean, blocking everything that isn't explicitly allowed from running is going to solve the problem of unknown malware. Zero days things have Never been seen before. I mean, fundamentally we don't need to decide if you're blocking everything by default. You don't need to decide that something could be bad or is bad. You just block everything and work backwards from there.

Rob Allen

What about for the users? I could imagine in a worst case scenario, I'm picturing, you know, users frustrated that they can't do anything, everything's being blocked, or so how do you balance that out?

Dave Buettner

So there's a really important caveat to deny by default or there's a really important addition to deny by default, which is permit by exception. So deny by default is what's going to keep you safe. Permit by exception is what's going to allow you to continue to do business. And in reality, the vast majority of users do the same things in the same way with the same software every single day. You know, most use Office, most use a couple of browsers. They might use a, you know, line of business application or two, maybe you know, a teams or a zoom or whatever the case may be. And the reality is we're not going to get in their way if they're doing those things. Because fundamentally what we're doing and what we espouse is to put guardrails around that and say, look, if you operate within these guardrails, which 99% of users are going to do on any given day, we're not going to get in your way, we're going to allow you to do the things you need to do with the software you need to run. But if you step outside or try to step outside those boundaries and try and run a remote access tool or, you know, Cooper, the coupon clipper from China. Absolutely, we're going to step in and block that. But again, it's not stopping users from doing the jobs you have to allow users to do their jobs. The point is, but no more. And that's what, as I said, deny by default, permit by exception allows.

Rob Allen

So how do default deny policies help reduce the alert fatigue?

Dave Buettner

So again, the fact of the matter is if something can't run, it can't do anything bad. And it's not only alert fatigue that I reduce. This is a really important consideration. So shadow it is a huge problem and it's one that I'm acutely aware of because I spent the best part of 20 years of my life working for an IT company and I am very familiar with the frustrations of I would give somebody a computer today and it will be all singing, all dancing, do everything they need super fast, powerful, they Think this is fantastic, all my problems are solved. And then I'd get a call in six months from the same person going, hey, my computer's running slowly, can you look at it? And I'd log in and I'd find that they'd somehow installed 15 Chrome extensions and five different toolbars and somehow managed to install three different antiviruses. And then we're wondering why their computer was running slowly. So if you take users ability to install all of those stupid Chrome extensions and toolbars and antiviruses and random other software away, it's going to make the administrator's life so much easier. But I suppose to directly answer your question, we have, first of all, we've got a detection tool ourselves which is Threat Locker Detect. But we would very often see customers of ours running Threat Locker alongside something like an EDR, for example. And the overwhelming response from people who did that was that very quickly, when they have Threat Locker running and secured, their EDR suddenly has very little to do because nothing is being allowed to run that shouldn't be allowed to run, nothing's being allowed to happen that shouldn't be allowed to happen. So very quickly the EDR is kind of sitting there going, it's very quiet around here today. And that, to be perfectly honest, is one of the reasons why we created our own EVR, as I said, ThreatLocker Detect, because most customers were saying, well, why am I paying X number of dollars a month for this tool when realistically it's got nothing to do? Because Threat Locker is blocking all of these attacks at source.

Rob Allen

You know, your description makes me think that not all user friction is bad. You know, if you can make your user think twice before installing that sketchy browser plugin, that's, that's not a bad thing.

Dave Buettner

Absolutely not. It. And it's one of the things we've actually tried to do. There's a couple of things and we've introduced a, we've an entire department who are basically product research. So their jobs fundamentally is to, and I know it's a very thankless one, is to research every piece of software that's out there. So whether it be, as I said, Cupert being made in China or 7zip being Russian, and their function is to find out as much as possible about these various pieces of software. And one of the things that happen when something gets blocked with Threat Locker is they have the option to request approval because again, from time to time people will need to run software they've never run before. But when we pop up the approval request, we tell them a little bit about the software. So we say, look, this is a remote access tool, it's made in the following countries. So we're giving the user information to help them decide whether or not they actually, actually want to run it, if that makes sense. So when I try and run seven zip, if it pops up and says seven zip is, you know, it's compression software, it's made in Russia, it can be used to encrypt data. Do you want to request this? The reality is I'm probably going to go, no, no, maybe I shouldn't actually request that. So, yeah, you will often find that users, I mean, first of all, they'll know that they can't run random crap pretty quickly.

Rob Allen

Right.

Dave Buettner

And they will probably not try to as often. But even when they do, as I said, if you can educate them and if you can inform them as to the dangers of a particular piece of software, maybe they'll self, you know, self restrict or self choose themselves not to actually try and run the thing.

Rob Allen

Yeah. Now, even when you have a robust default deny policy in place, detection still plays a part, right?

Dave Buettner

Absolutely. We see detection as an important layer of a well balanced security stack. The point is though, it shouldn't be the only layer and that is unfortunately where a lot of organizations find themselves is that they have, and they may have multiple detection tools in place, they might have a threat hunter, they might have an antivirus, they might have an edr. But, but the problem with those layers is they're very similar. They're effectively looking for the same known threats, the same known bad things, and very often falling over each other when they do actually find one. But as I mentioned earlier, a well balanced security stack should combine proactive protection, which is the controls we spoke about earlier, and also reactive detection. The idea being that, and your ideal scenario is that you're not told about a cyber attack when it is in progress and you're trying try to respond to it. Ideally you want to know about a potential cyber attack that is trying to get underway and is failing to do so because of the controls I mentioned earlier.

Rob Allen

Well, for organizations who are interested in this, what, what's a good place for them to begin?

Dave Buettner

Our website would be a great place to start. So threatlocker.com I mean, look, we see, I suppose, education as a very large part of what we do. I mean, as an example, we're currently about halfway through a webinar series we're doing which is 100 days to secure your environment. So we're doing weekly webinars. They are, I think. I'm pretty sure they're on YouTube, but you certainly find them on our website. But it's not Threat Locker specific. It's not only things that you can do using Threat Locker. It's good best practice. You know, here's how you can make your environment unfriendly and difficult for an attacker to operate in. So, yeah, as I said, education is a very large part of what we do. Sort of explaining to people that there is a different way to what you have been doing up to now. I mean, it's a, it's a sad reality that very often when organizations do turn to solutions like ours, it's because they have had an event or a breach or have been hit in some way or way, shape or form. It's something that's frustrating from my perspective because I, I'd be much happier if every customer came to us before they got hit rather than after they got hit. But as I said, it's. It does sometimes take an event or something serious for people to realize that there are other ways to approach the problem that they've been trying to solve with these detection tools for so many years. But as I said, website's a great place to start. YouTube. I mean, we're on all the socials, but the YouTube stuff, the webinars we do, I mean, they're always educational and sometimes entertaining as well. So that's a really good place to start.

Rob Allen

That's Rob Allen, Chief product officer at ThreatLocker. And now a word from our sponsor. ThreatLocker, the powerful zero Trust enterprise solution that stops ransomware in its tracks. Allowlisting is a deny by default software that makes applications control simple and fast. Ring Fencing is an application containment strategy, ensuring apps can only access the files, registry keys, network resources and other applications they truly need to function. Shut out cybercriminals with world class endpoint protection from Threat Locker.

Dave Buettner

This episode is brought to you by polestar. There's only one true way to experience the all electric luxury SUV Polestar 3. And that's to take a test drive. It can go from 0 to 60 in as little as 4.8 seconds with the dynamic handling of a sports car. But to truly understand how it commands.

Rob Allen

The road, you need to be behind the wheel.

Dave Buettner

Up to 350 miles of range. The 3D surround sound system by Bowers and Wilkins. It's all something you have to experience to believe. So book your Test drive for Polestar 3 today@Polestar.com.

Rob Allen

And finally, in Maine, the Westbrook Police Department tried to jazz up its drug bust photo by adding its badge using ChatGPT. Unfortunately, the officers didn't realize AI image editing works. Like an over enthusiastic intern, it changed the entire photo. Facebook followers quickly noticed the garbled text and eerie gloss, prompting the department to delete the image and issue an apology. Their statement blamed a Photoshop app, but local station WGME revealed It was actually ChatGPT's image generator, which treated the uploaded photo as a prompt to create a brand new masterpiece. The AI even removed some drugs from the evidence photo. Locals wondered how no one spotted the glaring differences, so lesson learned. Next time, just set a badge on the table and that's the Cyberwire for links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights through the end of this summer. There is a link in the show notes. Please do check it out. N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Elliott Peltzman and Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilby is our publisher and I'm Dave Buettner. Thanks for listening. We'll see you back here tomorrow. Krogle is AI built for the Enterprise soc, fully private schema free and capable of running in sensitive air gapped environments. Krogle autonomously investigates thousands of alerts weekly, correlating insights across your tools without data leaving your perimeter. Designed for high availability across geographies, it delivers context aware, auditable decisions aligned to your workflows. Krogle empowers analysts to act faster and focus on critical threats, replacing repetitive triage with intelligent automation to help your SOC operate at scale with precision and control. Learn more@krogle.com that's C R O G L com.