CyberWire Daily - SafePay, unsafe day.
Episode Date: July 7, 2025Ingram Micro suffers a ransomware attack by the SafePay gang. Spanish police dismantle a large-scale investment fraud ring. The SatanLock ransomware group says it is shutting down. Brazilian police ar...rest a man accused of stealing over $100 million from the country’s banking system. Qantas confirms contact from a “potential cybercriminal” following its recent customer data breach. The XWorm RAT evolves to better evade detection. Cybercriminals ramp up fraudulent domains ahead of Amazon Prime day. Apple sues a former engineer allegedly stealing confidential data. Our guest is Rob Allen, Chief Product Officer at Threat Locker, discussing why 'Default Deny' could be the Antidote to Security Fatigue. AI image editing blurs the evidence. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On our Industry Voices segment, we are joined by Rob Allen, Chief Product Officer at Threat Locker, discussing From Noise to Control: Why 'Default Deny' Is the Antidote to Security Fatigue. If you want to hear more from Rob or Threat Locker, you can listen to them here. Selected Reading Ingram Micro outage caused by SafePay ransomware attack (Bleeping Computer) Police dismantles investment fraud ring stealing €10 million (Bleeping Computer) SatanLock Ransomware Ends Operations, Says Stolen Data Will Be Leaked (Hackread) Police in Brazil Arrest a Suspect Over $100M Banking Hack (SecurityWeek) Qantas Contacted by Potential Cybercriminal Following Data Breach (Infosecurity Magazine) Arbor Associates reports data breach exposing patient information (Beyond Machines) XWorm RAT Deploys New Stagers and Loaders to Bypass Defenses (GB Hackers) Amazon Prime Day 2025: Deals Await, But So Do the Cyber Criminals (Check Point) Apple Accuses Ex-Engineer Of Stealing Vision Pro Secrets, Silently Accepting Job At Snap Inc., And Covering His Tracks By Wiping Data From Work Laptop (WCCF TECH) Cops Use ChatGPT to Edit Drugs Bust Photo, Goes Horribly Wrong (PetaPixel) Audience Survey Complete our annual audience survey before August 31. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
And now a word from our sponsor, CloudRange.
At CloudRange, they believe cybersecurity readiness starts with people, not just technology.
That's why their proactive simulation-based training helps security teams build confidence
and skill from day one.
By turning potential into performance, they empower SOC and incident response teams to
respond quickly, smartly, and in sync with evolving threats.
Learn how CloudRange is helping organizations stay ahead of cyber risks at www.cloudrange.com.
Ingram Micro suffers a ransomware attack by the SafePay gang.
Spanish police dismantle a large-scale investment fraud ring.
The SatanLock ransomware group says it's shutting down.
Brazilian police arrest a man accused of stealing over $100 million from the country's banking
system.
Qantas confirms contact from a potential cyber criminal following its recent customer data
breach.
The Xworm Rat evolves to better evade detection.
Cybercriminals ramp up fraudulent domains ahead of Amazon Prime Day.
Apple sues a former engineer allegedly stealing confidential data.
Our guest is Rob Allen, Chief Product Officer at ThreatLocker, discussing why default deny
could be the antidote to security fatigue. And AI image editing blurs the evidence.
It's Monday, July 7, 2025. I'm Dave Bittner and this is your CyberWire Intel Briefing.
Thanks for joining us here today.
It's great to have you with us.
Ingram Micro, a major global IT distributor, suffered a ransomware attack by the SafePay
gang last Thursday, leading to an ongoing outage of its website and ordering systems.
Employees discovered ransom notes on their devices, although it's unclear if files were
encrypted.
Sources say attackers likely breached the company via its Global Protect VPN platform.
Impacted services include its AI-powered X-Vantage distribution platform and Impulse
license provisioning, while Microsoft 365, Teams, and SharePoint remain operational.
Initially, Ingram Micro did not disclose the attack, citing only IT issues.
SafePay, active since November 2024, with over 220 victims, uses VPN breaches and password
spraying to infiltrate targets.
On Sunday, Ingram Micro confirmed the ransomware incident, stating it's working with cybersecurity
experts to investigate and restore systems.
Spanish police have dismantled a large-scale investment fraud ring that caused over $11.8
million in damages. In coordinated raids across Barcelona, Madrid, Malorca, and Alicante,
21 suspects were arrested and officers seized seven luxury cars and more
than $1.5 million in cash and crypto.
The group began operations in 2022, targeting victims nationwide with fake investments in
crypto, tech stocks, and gold via manipulated websites and call centers posing as professional
advisors.
Victims saw fake profits and could make small withdrawals initially before losing larger
sums to blocked withdrawals and fake processing fees.
The call centers had panic buttons to erase data during raids.
This operation follows recent major fraud takedowns in Spain, including a $540 million crypto scam dismantled
last week.
The Satan Lock Ransomware Group announced its shutting down and plans to leak all stolen
victim data today.
The group, active since April 2025, posted the news on its Telegram channel and dark
website which now displays a shutdown
notice.
Satan Lock had listed 67 victims, though over 65% were already on other ransomware leak
sites suggesting shared infrastructure.
Linked to groups like Babac Biorca and GD Lockersec, Satan Lock's sudden closure remains
unexplained.
Brazilian police arrested Yao Roca, an IT employee at software company CNM, for his
role in a cyber attack that stole over $100 million from the country's banking system.
Hackers breached CNM, which connects banks to Brazil's instant payment platform, PIX,
used by over 76% of the population.
Roque admitted selling his credentials to hackers who recruited him earlier this year.
The attack targeted financial institutions, not individual clients, and losses from just
one bank reached $100 million.
Police believe at least four others were involved.
The fraud occurred overnight via fake PICS transactions.
Brazil's central bank suspended parts of CNM's operations.
CNM stated the breach was due to social engineering, not system flaws. Qantas has confirmed contact from a potential cybercriminal following its recent customer
data breach.
The airline is verifying the individual's authenticity and has involved the Australian
Federal Police but declined to share further details.
The breach, contained on June 30, compromised personal data, including names, emails, phone
numbers, dates of birth, and frequent flyer numbers of potentially up to six million customers.
No credit card, financial, or passport data was affected.
Attackers targeted a third-party customer service platform via a call center.
Qantas has not detected further threat activity
and says its systems remain secure.
Customers were notified by email
and warned to watch for phishing attempts.
As Qantas says, they'll never request passwords
or sensitive login details.
Arbor Associates, which processes data
for healthcare providers,
reported a breach compromising
patient data.
Detected on April 17, the breach occurred between April 15 and 17.
Exposed information includes names, contact details, birth dates, biological sex, service
dates, CPT and diagnosis codes, medical record numbers, and insurance provider names.
The number of affected individuals and attack details remain undisclosed.
Arbor has set up a helpline and urges patients to review statements for errors
and monitor credit reports for suspicious activity.
The XWRM Remote Access Trojan has evolved with advanced stagers and loaders to evade
detection.
Widely used for key logging, remote desktop access, data theft, and command execution,
XWorm now targets sectors like software supply chains and gaming.
Recent campaigns paired XWorm with async RAT for initial access later
deploying ransomware crafted from the leaked lockbit black builder. Xworm's
infection chain is highly dynamic using multiple file types and scripting
languages delivered via phishing emails mimicking invoices and shipping notices
it employs base 64 encoding A encryption, and tempers with Windows security
features like AMSI and ETW to avoid detection. XWorm also spreads via removable media, uses
persistence mechanisms, and disables Microsoft Defender, making it a persistent threat for
security teams worldwide.
Ahead of Amazon Prime Day this week, cybercriminals are ramping up phishing attacks targeting
shoppers.
Researchers at Checkpoint Security say over 1,000 Amazon-like domains were registered
in June alone, with 87% flagged as malicious.
Many use Amazon Prime in their names to trick users into entering login credentials on fake sites.
Common tactics include spoofed websites mimicking Amazon's checkout
and phishing emails claiming refund errors to lure clicks.
With these scams rising before Prime Day,
extra caution can prevent identity theft, unauthorized purchases,
and stolen gift card balances.
Apple has filed a lawsuit against former employee D. Lu for allegedly stealing confidential
data related to its Vision Pro headset and sharing it with Snap, his current employer. Lou, who worked at Apple for seven years as a senior product
design engineer, reportedly transferred proprietary Vision
Pro design, hardware testing, and unreleased capability files
to his personal cloud storage before resigning.
Apple claims Lou misled them about his departure,
citing family reasons for leaving instead
of joining Snap to avoid off-boarding protocols that would cut his access.
Forensic analysis revealed he deleted evidence from his Macbook to hide the transfers.
Apple is seeking the immediate return of its trade secrets, financial damages, and access
to Liu's devices and cloud accounts.
Snap denied any involvement in lose actions.
Coming up after the break, my conversation with Rob Allen from ThreatLocker.
We're discussing why default deny could be an antidote to security
fatigue and AI image editing blurs the evidence.
Stay with us. Compliance regulations, third-party risk, and customer security demands are all growing
and changing fast.
Is your manual GRC program actually slowing you down?
If you're thinking there has to be something more efficient than spreadsheets, screenshots,
and all those manual
processes, you're right.
GRC can be so much easier, and it can strengthen your security posture while actually driving
revenue for your business.
You know, one of the things I really like about Vanta is how it takes the heavy lifting
out of your GRC program.
Their trust management platform automates those key areas,
compliance, internal and third party risk,
and even customer trust,
so you're not buried under spreadsheets
and endless manual tasks.
Vanta really streamlines the way you gather
and manage information across your entire business.
And this isn't just theoretical.
A recent IDC analysis found that compliance
teams using Vanta are 129% more productive. It's a pretty impressive number.
So what does it mean for you? It means you get back more time and energy to focus on
what actually matters, like strengthening your security posture and scaling your business. Vanta, GRC, just imagine how much easier trust can be.
Visit vanta.com slash cyber to sign up today for a free demo.
That's vanta.com slash cyber.
CISOs and CIOs know machine identities now outnumber humans by more than 80 to 1, and
without securing them, trust, uptime, outages, and compliance are at risk.
CyberArk is leading the way with the only unified platform purpose-built to secure every
machine identity, certificates, secrets and workloads across all environments, all clouds
and all AI agents.
Designed for scale, automation and quantum readiness, CyberArk helps modern enterprises
secure their machine future.
Visit cyberark.com slash machines to see how.
Rob Allen is Chief Product Officer at ThreatLocker, and on today's sponsored industry voices
segment, we discuss why default deny could be the antidote to security fatigue.
Rob, let's start with the big picture here. Can you describe to us what we mean when we say
security fatigue and how it became such a widespread issue
in cybersecurity these days?
Well, security fatigue is one way of describing it.
I think alert fatigue is probably more appropriate.
And I think the, the old analogy of the boy who cried wolf is very much relevant
in this scenario, which is if you have something that's popping off alerts,
left, right, and center saying there's something happening here and there's
something happening there and there's something happening over there and you
check them all out and there's nothing happening, you're going to believe it less
and less over time.
And unfortunately, when something is actually happening, you're probably going to be either
too busy chasing other things, or as I said, just fatigued and thinking it's not actually
going to be what I think it is.
I mean, we have a, or I had a really interesting example of
this when I was dealing with a prospect who was using, let me be diplomatic and
say one of the major EDR tools that are out there. And I asked him how it was,
you know, how was his experience been with it? Is it good? Is it bad? You know,
was it easy to manage, et cetera? And he said, look, it's really good,
but the false positives break my heart.
I spend all day, every day chasing false positives.
But the interesting thing was we have a PowerShell script
that we use for demonstrations,
which is basically just data exfiltration via PowerShell.
So it goes through the user's documents folder
and uploads everything it finds to our blob. And when I showed that to him, I said, look, do you mind if I try that on my machine?
I said, no, absolutely not. So we tried it in his machine, exfiltrated the data, no problem,
and not a peep out of the tool that he was using. So from alerts for everything that was nothing,
for everything that was nothing to not alerting on something actually bad happening. I thought that was very instructive.
Yeah, I can't help thinking that that has to take a toll on people and affect their
decision making.
Oh, undoubtedly, undoubtedly. Um, as I said, it's, it's basically soul destroying to keep on chasing things that
aren't happening or things that aren't serious or things that you, you don't need
to worry about.
Um, the problem is when there is something you do need to worry about, it is eminently
possible it will fall through the cracks.
Well, I know you and your colleagues, your colleagues promote this notion of default deny.
Can you unpack that for us?
What does it mean in practical terms?
In practical terms, I mean, it's incredibly simple.
If you think about pretty much all cybersecurity, the approach is fundamentally to allow everything
except what we know to be bad.
And by we we I mean the
cyber security tool that's in place.
So allow everything to run unless it's known malware, allow everything to happen unless
it's known to be malicious.
The problem with that fundamentally is that nobody knows everything that's bad.
Nobody knows every piece of malware, nobody knows every technique, every tactic, every everything that's being used.
So what we do and what we espouse is to effectively turn that,
allow everything except what's known to be bad in its head and say,
deny everything unless it's explicitly allowed.
So it's pretty much a full 180 from that traditional approach.
And it's a really, really effective way of approaching cybersecurity.
And it's got so many other knock-on benefits, you know, in terms of, like, we're working
on a little project at the moment, our special projects team.
And it's a variation on that data exfiltration that I mentioned earlier. So we became aware that one of the EDR vendors now detects data exfiltration via PowerShell
as malicious.
So we did a little tweak to our previous script.
So instead of just using PowerShell to upload a load of files, what we're doing now is we
download 7zip, use 7zip to encrypt the files,
delete the files, and then upload them to our location.
Now, that's fundamentally ransomware.
That's ransomware attack in one PowerShell script
for all intents and purposes.
Now, the problem with it is in most environments,
PowerShell is pretty much allowed
to do whatever the hell it wants.
So it can download 7zip.
It can run it.
It can copy data. The really interesting thing about this instance is because it's only 7-zip, it can run it, it can copy data.
The really interesting thing about this instance is because it's only uploading one file, that
EDR tool that used to work in terms of detecting data exfiltration now does not.
Because it obviously has some sort of a limit built into it where it says if it's less than
X number of files, it's not data exfiltration.
If it's more than X number of files, then it is.
But it comes back to X number of files than it is, but it comes
back to the idea of making decisions. So that tool is making a decision as to whether or not that
behavior is malicious. And obviously in the case of multiple files being exfiltrated, it's deciding
that this is malicious. If it's only one file that's being exfiltrated, it's deciding it's not. And it shows the weakness of decisions, whether it be a human being that's making decisions
or whether it be AI that's making decisions or whether it be whatever the case might be.
Decisions are dangerous because it only takes one wrong decision for it to be effectively
game over. Help me understand how default deny changes the way
that security teams handle unknown or unexpected
activity.
So the likelihood is, in most cases,
there won't be as much unknown or unexpected activity.
Because again, fundamentally, everything
that shouldn't be allowed or everything that isn't required
is going to be blocked.
Now, there's a couple of sides to it. There is the what can run and what can't run side. So that's very
simple. I mean blocking everything that isn't explicitly allowed from running is going to
solve the problem of unknown malware, zero days, things that have never been seen before. I mean
fundamentally we don't need to decide if you're blocking everything by default you don't need to
decide that something could be bad or is bad. You just block everything and work backwards from there.
What about for the users?
I could imagine in a worst case scenario, I'm picturing users frustrated that they can't
do anything, everything's being blocked.
So how do you balance that out?
So there's a really important caveat to deny by default or there's a really important caveat to deny by default, or there's really an important addition to deny by default, which is permit by exception.
So deny by default is what's going to keep you safe. Permit by exception is what's going to allow you to continue to do business.
And in reality, the vast majority of users do the same things in the same way with the same software every single
day.
You know, most use Office, most use a couple of browsers, they might use a line of business
application or two, maybe a Teams or a Zoom or whatever the case may be.
And the reality is, we're not going to get in their way if they're doing those things
because fundamentally what we're doing and what we espouse is to put guardrails around that and say look if you operate within
these guardrails which 99% of users are going to do on any given day, we're not going to
get in your way. We're going to allow you to do the things you need to do with the software
you need to run but if you step outside or try to step outside those boundaries and try
and run a remote access tool or you know,, coup the coupon clipper from China. Absolutely, we're going to step in and block that. But again,
it's not stopping users from doing the jobs. You have to allow users to do their jobs.
The point is, but no more. And that's what, as I said, deny by default, permit by exception allows.
So how do default deny policies help reduce the alert fatigue?
So, again, the fact of the matter is if something can't run, it can't do anything bad.
It's not only alert fatigue that I've reduced.
This is a really important consideration.
So shadow IT is a huge problem.
It's one that I'm acutely aware of because I spent the best part of 20 years of my life
working for an IT company.
And I am very familiar with the frustrations of,
I would give somebody a computer today
and it will be all singing, all dancing,
do everything they need, super fast, powerful.
They think this is fantastic.
All my problems are solved.
And then I'd get a call in six months from the same person
going, hey, my computer's running slowly,
can you look at it?
And I'd log in and I'd find that they'd somehow
installed 15 Chrome extensions and five different toolbars
and somehow managed to install three different antiviruses.
And then we're wondering why their computer
was running slowly.
So if you take users' ability to install
all of those stupid Chrome extensions and toolbars
and antiviruses and random other software away,
it's going to make the administrator's life so much easier.
But I suppose to directly answer your question,
we have, first of all, we've got a detection tool ourselves,
which is ThreatLocker Detect,
but we would very often see customers of ours
running ThreatLocker alongside
something like an EDR for example and
the overwhelming response from people who did that was that very quickly when
they have threat locker running and secured their EDR suddenly has very
little to do because nothing is being allowed to run that shouldn't be allowed
to run nothing's been allowed to happen that shouldn't be allowed to happen so
very quickly the EDR is kind of sitting there going, it's very quiet around here today.
And that, to be perfectly honest, is one of the reasons why we created our own EDR, as
I said, ThreatLocker Detect, because most customers were saying, well, why am I paying
X number of dollars a month for this tool?
When realistically it's got nothing to do because ThreatLocker is blocking all of these
attacks at source.
You know, your description makes me think that not all user friction is bad.
You know, if you can make your user think twice before installing that sketchy browser
plugin, that's not a bad thing.
Absolutely not.
And it's one of the things we've actually tried to do.
There's a couple of things.
We've introduced a, we've an entire department
who are basically product research.
So their job is fundamentally is to,
and I know it's a very thankless one,
is to research every piece of software that's out there.
So whether it be, as I said,
Cupert being made in China or 7-Zip being Russian,
and their function is to find out as much as possible about these various pieces of software.
One of the things that happen when something gets blocked with ThreatLocker is they have
the option to request approval because, again, from time to time, people will need to run
software they've never run before.
But when we pop up the approval request, we tell them a little bit about the software.
So we say, look, this is a remote access tool.
It's made in the following countries.
So we're giving the user information
to help them decide whether or not
they actually want to run it, if that makes sense.
So when I try and run 7-Zip,
if it pops up and says 7-Zip is compression software,
it's made in Russia, it can be used from crypt data,
do you want to request this?
The reality is I'm probably going to go, no, maybe I shouldn't actually request that.
So yeah, you will often find that users, I mean, first of all, they'll know that they can't run random crap pretty quickly.
And they will probably not try to as often, but even when they do, as I said, if you can
educate them and if you can inform them as to the dangers of a particular piece of software,
maybe they'll self-restrict or choose themselves not to actually try and run the thing.
Yeah.
Now, even when you have a robust default deny policy in place, detection still plays a part,
right?
Absolutely.
We see detection as an important layer of a well-balanced security stack.
The point is, though, it shouldn't be the only layer.
And that is, unfortunately, where a lot of organizations find themselves, is that they
have and they may have multiple detection tools in place.
They might have a threat hunter, they might have an antivirus, they might have an EDR.
But the problem with those layers is they're very similar.
They're effectively looking for the same known threats, the same known bad things and very
often falling over each other when they do actually find one. But as I mentioned earlier, a well-balanced security stack should combine proactive protection,
which is the controls we spoke about earlier, and also reactive detection.
And the idea being that, and your ideal scenario is that you're not told about a cyber attack
when it is in progress and you're trying to respond to it.
Ideally, you want to know about a potential cyber attack that is trying to get underway
and is failing to do so because of the controls I mentioned earlier.
Well, for organizations who are interested in this, what's a good place for them to begin?
Our website would be a great place to start.
So threatlocker.com.
I mean, look, we see, I suppose, education as a very large part of what we do.
I mean, as an example, we're currently about halfway through a webinar series we're doing,
which is 100 days to secure your environment.
So we're doing weekly webinars.
They are, I think, I'm pretty sure they're on YouTube,
but you certainly find them on our website.
But it's not ThreatLocker specific.
It's not only things that you can do using ThreatLocker.
It's good best practice.
Here's how you can make your environment unfriendly
and difficult for an attacker to operate in.
So yeah, as I said,
education is a very large part of what we do.
So explaining to people that there is a different way to what you have been doing up to now.
I mean, it's a sad reality that very often when organizations do turn to solutions like ours,
it's because they have had an event or a breach or have been hit in some way, shape or form.
It's something that's frustrating from my perspective,
because I'd be much happier if every customer came to us before they got hit,
rather than after they got hit.
But as I said, it does sometimes take an event or something serious for people to realize that there are other ways to approach the
problem that they've been trying to solve with these detection tools for so many years.
But as I said, websites a great place to start. YouTube, I mean, we're on all the socials, but the YouTube stuff, the webinars we do,
they're always educational and sometimes entertaining as well.
So that's a really good place to start.
That's Rob Allen, Chief Product our sponsor ThreatLocker, the powerful zero-trust enterprise solution
that stops ransomware in its tracks.
AllowListing is a deny- a deny by default software that makes application
control simple and fast. Ring fencing is an application containment strategy, ensuring
apps can only access the files, registry keys, network resources, and other applications
they truly need to function. Shut out cyber criminals with world-class endpoint protection
from ThreatLocker.
Introducing TurboTax Business, a brand new way to file your own T2 return,
all while getting help from an expert who actually knows small businesses.
Got a tattoo studio? Toy store? Tiny but mighty taco stand?
We've got someone who gets small business taxes inside and out.
Experts are standing by to help and review while you file, so you know your
returns done right. Intuit TurboTax business, new from TurboTax Canada.
Some regional exclusions apply. Learn more at TurboTax.ca business tax.
And finally, in Maine, the Westbrook Police Department tried to jazz up its drug bust
photo by adding its badge using chat GPT.
Unfortunately, the officers didn't realize AI image editing works like an over-enthusiastic
intern.
It changed the entire photo.
Facebook followers quickly noticed the garbled text and
eerie gloss prompting the department to delete the image and issue an apology.
Their statement blamed a Photoshop app, but local station WGME revealed it was
actually ChatGPT's image generator, which treated the uploaded photo as a prompt
to create a brand new masterpiece. The AI even removed some drugs from the evidence photo.
Locals wondered how no one spotted the glaring differences.
So lesson learned.
Next time, just set a badge on the table. And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at the cyberwire.com.
We'd love to hear from you.
We're conducting our annual audience survey to learn more about our listeners.
We're collecting your insights through the end of this summer.
There is a link in the show notes, please do check it out.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Elliot Peltzman and Trey Hester with original music by Elliot Peltzman.
Our executive producer is Jennifer Iben, Peter Kilpe is our publisher, and I'm Dave Bittner.
Thanks for listening, and we'll see you back here, tomorrow. And now a word from our sponsor, Spy Cloud.
Identity is the new battleground, and attackers are exploiting stolen identities to infiltrate
your organization.
Traditional defenses can't keep up. Spy Cloud's holistic identity threat protection
helps security teams uncover
and automatically remediate hidden exposures
across your users from breaches, malware, and phishing
to neutralize identity-based threats
like account takeover, fraud, and ransomware.
Don't let invisible threats compromise your business.
Get your free corporate darknet exposure report at spycloud.com slash cyberwire
and see what attackers already know.
That's spycloud.com slash cyberwire.