July 7, 2025 • 10 mins
In this episode of Cybersecurity Today, host David Shipley discusses the recent Safe Play ransomware attack on technology distributor Ingram Micro, exploring its impact and ongoing recovery efforts. The script also examines a new campaign targeting misconfigured Linux servers to build proxy networks for cybercriminal activities. Additionally, the episode highlights the significant rise in Click Fix social engineering attacks and the criminal investigation into a former ransomware negotiator accused of profiting from extortion payments.
00:00 Introduction and Headlines
00:30 Ingram Micro Ransomware Attack
03:57 Linux Servers Under Attack
07:05 Rise of Click Fix Social Engineering Attacks
08:45 Ransomware Negotiator Under Investigation
10:13 Conclusion and Contact Information
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:01):
Ingram Micro has been hitwith the Safe Play ransomware.
Criminals are ramping upefforts to compromise Linux SSH
servers to build proxy networks.
Click Fix Social Engineering attackup 500% , and a former ransomware
negotiator is under criminalinvestigation for working with gangs
to profit off of extortion payments.
(00:23):
This is Cybersecurity today, andI'm your host, David Shipley.
Let's get started.
Ingram Micro, one of thelargest technology distributors
on the planet said Saturday.
It was hit with a ransomwareattack late last week.
The publicly traded California firmwas still dealing with the impact from
the incident as of Sunday afternoonwith its website still down, and
(00:46):
redirecting to more informationon the cybersecurity incident.
In a release on Business Wire, the companysaid it recently discovered ransomware
on some of its internal systems.
The firm said it took steps tosecure the relevant environment
and proactively took some systemsoffline as well as implementing
quote, other mitigating measures.
(01:08):
Ingram Micro says it has launchedan investigation with the assistance
of leading cybersecurity expertsand has notified law enforcement.
It said it was working hard torestore affected systems and to
resume processing and shipping orders.
Bleeping Computer posted the SafePlay ransomware note allegedly
tied to the incident in it.
(01:30):
Safe Pay claims.
It exploited, quote, a number of mistakes,end quote Ingram made in quote, setting
up the security of your corporate network.
So we were able to spend quite along time in it and compromise you.
End quote.
The safe play Note claims, the intrudersaccess sensitive and confidential
information, including documentspertaining to financial statements,
(01:52):
intellectual property, accountingrecords, lawsuits and complaints,
personal and customer files, bankdetails, transactions, and more.
Interestingly, the group seemed to go outof its way to note the attack was purely
financially motivated and not political.
None of these claims havebeen independently verified.
(02:13):
Ingram Micro had more than $47.98 billionin revenue in 2024, making it one of the
most valuable US technology companies.
The ransomware attack comes in the heelsof the firm returning to the Fortune
500 in June, founded 46 years ago.
Ingram Micro is a backbone distributorto value added resellers, managed
(02:35):
service providers, and more.
Managed service providers whospoke to the Register reported
being unable to manage customers.
Microsoft 365 licenses, Dropboxlicenses, hardware purchases,
and more hitting Ingram Micro isthe technology sector equivalent
of the Colonial pipeline attack.
A prolonged outage could havemassive impacts across nearly 90% of
(02:58):
the global technology marketplace.
Ingram Micro also resellsMicrosoft's Office and Azure Cloud
offerings with some posters onReddit's MSP thread on the weekend.
Warning folks to revokeIngram Micro accounts.
As of Sunday, there was noevidence that Ingram Micro's
incident had spread to others.
However, the company's sheer reachwould make any such event larger
(03:22):
than anything we've ever seen.
According to a recent mediaarticle, Ingram manages more than
50 million seats in cloud services.
We may all wanna be grateful.
That this increasingly appears to be avanilla cyber crime extortion attempt
and not a nation state run because had itbeen, things could have been far worse.
(03:45):
If this outage takes the typicalseveral weeks to several months to
fully resolve the risks of majordisruptions throughout a broad swath of
the technology supply chain will grow.
A new campaign is targetingmisconfigured Linux servers with
attackers deploying legitimate proxysoftware to covertly build network
infrastructure for criminal use.
(04:07):
This matches a trend we've been followingsince the start of the year with criminal
groups, building new infrastructure,leveraging proxies around the world
according to the on lab security,emergency Response Center, or asac threat
actors are scanning for Linux Systemswith weak or default SSH credentials.
Once access is gained, the attackersyou install proxy tools, specifically
(04:30):
tiny proxy and sing box, to createscalable, anonymized networks.
These tools are typicallyused for legitimate purposes,
such as content routing.
Or bypassing geo restrictions,but in this case, they're being
repurposed for malicious activity.
Unlike traditional malware campaignsthat aim to exfiltrate data or encrypt
files, this operation is focusedon maintaining a stealth presence.
(04:54):
No additional malware is deployed.
Instead, the attackers use lightweightbash grips that detect the server's
operating system and use StandardLinux package managers A PT Yum,
and or DNF to install tiny proxy.
I. Once installed the script modifies theconfiguration file located at slash et
c slash tiny proxy slash tiny proxy.com.
(05:18):
It removes any restrictive access controlsand replaces them with a universal rule.
Allow zero do zero, do 0.0 slash zero.
This opens the proxy to all incomingconnections effectively allowing anyone
on the internet to route traffic throughthe Compromise Server via Port 8, 8 8 8.
A second variant to the campaign uses SingBox, a multipurpose proxy that supports
(05:41):
advanced protocols like VMAs, Argo V, lessreality, hysteria two and two UICV five.
These protocols are often used incircumvention tools, but here they
appear to be facilitating anonymizationfor broader criminal infrastructure.
Installation is carried out using scriptshosted on GitHub, pointing to a structured
(06:01):
and potentially large scale operation.
Comments found in the script arewritten in polish, which may indicate
the regional origin of the attacks orat least provide a linguistic clue.
However attribution remains unclear.
Security researchers suggest theinfrastructure is being monetized
through proxy as a service offerings, orleveraged to obscure the source of further
(06:22):
malicious activity for organizationsrunning Linux-based infrastructure,
especially systems exposed to the internetvia SSH security teams are advised to.
Enforce strong authentication.
Ideally using SSH Keysand not just passwords.
Audit for authorized proxyservices and monitor outbound
(06:43):
traffic for signs of proxy misuse.
This campaign highlights ashift in tactics from delivering
destructive payloads to quietlyestablishing a persistent network
resource that can be used inongoing or future cyber operations.
It's particularly relevant given thedecline in the ability of criminals to use
traditional bulletproof hosting services.
(07:05):
Cybersecurity firm.
ESAT says Click fixx attacks are up500% in the first half of 2025, coming
second only to traditional phishingas the most common attack method.
The findings come in the latest EECthreat report, which summarizes threat
data captured by its security tools, the.
Click Fix attacks display a fakeerror that manipulates a victim
(07:26):
into copying, pasting, and executingmalicious commands on their devices.
The attack Vector affects allmajor operating systems, including
Windows, Linux, and Mac os.
It often mimics common human validationsystems like CloudFlare, or capture
services that are commonly deployedto distinguish human and bot traffic.
(07:47):
The Click Fix Technique is used to deployinfo stealers ransomware, remote access
Trojans, crypto miners, post exploitationtools, and even custom malware from
nation state aligned threat actors.
ESAT says in the same report.
ESAT also gave some good news in it, itsaid that global ransomware continues to
descend into chaos with fights betweenmajor gangs impacting several players,
(08:11):
including the leading ransomware asa service ransom hub While ransomware
attacks and the number of gangs are upcompared to 2024, payments are down.
It's unclear why, but the report suggeststhat the combination of successful global
law enforcement actions last year againsta number of gangs and an increased in
exit scams, that's where gangs bailon their affiliates without paying
(08:35):
them contributed to the growing chaos.
Speaking of the ransomwareindustry and chaos.
Here's another interesting wrinkle.
An ex ransomware negotiator is undercriminal investigation by the US
Department of Justice for allegedlyworking with the ransomware gangs
to profit from extortion payments.
(08:56):
The Suspect is a former employeeof Digital Mint, a Chicago based
incident response and digital assetservices company that specializes
in ransomware negotiation andfacilitating cryptocurrency payments.
To receive a decryptor or prevent stolendata from being publicly released, the
company claims to have conducted over2000 ransomware negotiations since 2017.
(09:20):
Bloomberg first reported last weekthat the DOJs investigating whether
the suspect was working with ransomwaregangs to negotiate payments, then
allegedly receiving a cot of theransom that was charged to the customer
The DOJ refused to comment whenBloomberg contacted them last week.
From my perspective, ransomnegotiation as an industry was
(09:43):
always ethically challenging.
Some ransomware operators, such as GaN Caband Reeval even created special discount
codes and chat interfaces specificallydesigned for these type of firms to
receive a discount on the ransom demand.
Some vendors in the ransomwarenegotiation space have been critical
of others who don't use a fixedfee structure with those that don't
(10:06):
use that fixed fee structure, oftenlending themselves to potential abuse.
As always, stay skeptical and staypatched, and yesterday was a good day to
start doing fourth party breach tabletops.
We're always interested in youropinion, and you can contact us at
editorial@technewsday.ca or leavea comment under the YouTube video.
(10:29):
I've been your host, DavidShipley, sitting in for Jim Love,
who will be back on Wednesday.
Thanks for listening.
I.
Ingram Micro has been hitwith the Safe Play ransomware.
Criminals are ramping upefforts to compromise Linux SSH
servers to build proxy networks.
Click Fix Social Engineering attackup 500% , and a former ransomware
negotiator is under criminalinvestigation for working with gangs
to profit off of extortion payments.
(00:23):
This is Cybersecurity today, andI'm your host, David Shipley.
Let's get started.
Ingram Micro, one of thelargest technology distributors
on the planet said Saturday.
It was hit with a ransomwareattack late last week.
The publicly traded California firmwas still dealing with the impact from
the incident as of Sunday afternoonwith its website still down, and
(00:46):
redirecting to more informationon the cybersecurity incident.
In a release on Business Wire, the companysaid it recently discovered ransomware
on some of its internal systems.
The firm said it took steps tosecure the relevant environment
and proactively took some systemsoffline as well as implementing
quote, other mitigating measures.
(01:08):
Ingram Micro says it has launchedan investigation with the assistance
of leading cybersecurity expertsand has notified law enforcement.
It said it was working hard torestore affected systems and to
resume processing and shipping orders.
Bleeping Computer posted the SafePlay ransomware note allegedly
tied to the incident in it.
(01:30):
Safe Pay claims.
It exploited, quote, a number of mistakes,end quote Ingram made in quote, setting
up the security of your corporate network.
So we were able to spend quite along time in it and compromise you.
End quote.
The safe play Note claims, the intrudersaccess sensitive and confidential
information, including documentspertaining to financial statements,
(01:52):
intellectual property, accountingrecords, lawsuits and complaints,
personal and customer files, bankdetails, transactions, and more.
Interestingly, the group seemed to go outof its way to note the attack was purely
financially motivated and not political.
None of these claims havebeen independently verified.
(02:13):
Ingram Micro had more than $47.98 billionin revenue in 2024, making it one of the
most valuable US technology companies.
The ransomware attack comes in the heelsof the firm returning to the Fortune
500 in June, founded 46 years ago.
Ingram Micro is a backbone distributorto value added resellers, managed
(02:35):
service providers, and more.
Managed service providers whospoke to the Register reported
being unable to manage customers.
Microsoft 365 licenses, Dropboxlicenses, hardware purchases,
and more hitting Ingram Micro isthe technology sector equivalent
of the Colonial pipeline attack.
A prolonged outage could havemassive impacts across nearly 90% of
(02:58):
the global technology marketplace.
Ingram Micro also resellsMicrosoft's Office and Azure Cloud
offerings with some posters onReddit's MSP thread on the weekend.
Warning folks to revokeIngram Micro accounts.
As of Sunday, there was noevidence that Ingram Micro's
incident had spread to others.
However, the company's sheer reachwould make any such event larger
(03:22):
than anything we've ever seen.
According to a recent mediaarticle, Ingram manages more than
50 million seats in cloud services.
We may all wanna be grateful.
That this increasingly appears to be avanilla cyber crime extortion attempt
and not a nation state run because had itbeen, things could have been far worse.
(03:45):
If this outage takes the typicalseveral weeks to several months to
fully resolve the risks of majordisruptions throughout a broad swath of
the technology supply chain will grow.
A new campaign is targetingmisconfigured Linux servers with
attackers deploying legitimate proxysoftware to covertly build network
infrastructure for criminal use.
(04:07):
This matches a trend we've been followingsince the start of the year with criminal
groups, building new infrastructure,leveraging proxies around the world
according to the on lab security,emergency Response Center, or asac threat
actors are scanning for Linux Systemswith weak or default SSH credentials.
Once access is gained, the attackersyou install proxy tools, specifically
(04:30):
tiny proxy and sing box, to createscalable, anonymized networks.
These tools are typicallyused for legitimate purposes,
such as content routing.
Or bypassing geo restrictions,but in this case, they're being
repurposed for malicious activity.
Unlike traditional malware campaignsthat aim to exfiltrate data or encrypt
files, this operation is focusedon maintaining a stealth presence.
(04:54):
No additional malware is deployed.
Instead, the attackers use lightweightbash grips that detect the server's
operating system and use StandardLinux package managers A PT Yum,
and or DNF to install tiny proxy.
I. Once installed the script modifies theconfiguration file located at slash et
c slash tiny proxy slash tiny proxy.com.
(05:18):
It removes any restrictive access controlsand replaces them with a universal rule.
Allow zero do zero, do 0.0 slash zero.
This opens the proxy to all incomingconnections effectively allowing anyone
on the internet to route traffic throughthe Compromise Server via Port 8, 8 8 8.
A second variant to the campaign uses SingBox, a multipurpose proxy that supports
(05:41):
advanced protocols like VMAs, Argo V, lessreality, hysteria two and two UICV five.
These protocols are often used incircumvention tools, but here they
appear to be facilitating anonymizationfor broader criminal infrastructure.
Installation is carried out using scriptshosted on GitHub, pointing to a structured
(06:01):
and potentially large scale operation.
Comments found in the script arewritten in polish, which may indicate
the regional origin of the attacks orat least provide a linguistic clue.
However attribution remains unclear.
Security researchers suggest theinfrastructure is being monetized
through proxy as a service offerings, orleveraged to obscure the source of further
(06:22):
malicious activity for organizationsrunning Linux-based infrastructure,
especially systems exposed to the internetvia SSH security teams are advised to.
Enforce strong authentication.
Ideally using SSH Keysand not just passwords.
Audit for authorized proxyservices and monitor outbound
(06:43):
traffic for signs of proxy misuse.
This campaign highlights ashift in tactics from delivering
destructive payloads to quietlyestablishing a persistent network
resource that can be used inongoing or future cyber operations.
It's particularly relevant given thedecline in the ability of criminals to use
traditional bulletproof hosting services.
(07:05):
Cybersecurity firm.
ESAT says Click fixx attacks are up500% in the first half of 2025, coming
second only to traditional phishingas the most common attack method.
The findings come in the latest EECthreat report, which summarizes threat
data captured by its security tools, the.
Click Fix attacks display a fakeerror that manipulates a victim
(07:26):
into copying, pasting, and executingmalicious commands on their devices.
The attack Vector affects allmajor operating systems, including
Windows, Linux, and Mac os.
It often mimics common human validationsystems like CloudFlare, or capture
services that are commonly deployedto distinguish human and bot traffic.
(07:47):
The Click Fix Technique is used to deployinfo stealers ransomware, remote access
Trojans, crypto miners, post exploitationtools, and even custom malware from
nation state aligned threat actors.
ESAT says in the same report.
ESAT also gave some good news in it, itsaid that global ransomware continues to
descend into chaos with fights betweenmajor gangs impacting several players,
(08:11):
including the leading ransomware asa service ransom hub While ransomware
attacks and the number of gangs are upcompared to 2024, payments are down.
It's unclear why, but the report suggeststhat the combination of successful global
law enforcement actions last year againsta number of gangs and an increased in
exit scams, that's where gangs bailon their affiliates without paying
(08:35):
them contributed to the growing chaos.
Speaking of the ransomwareindustry and chaos.
Here's another interesting wrinkle.
An ex ransomware negotiator is undercriminal investigation by the US
Department of Justice for allegedlyworking with the ransomware gangs
to profit from extortion payments.
(08:56):
The Suspect is a former employeeof Digital Mint, a Chicago based
incident response and digital assetservices company that specializes
in ransomware negotiation andfacilitating cryptocurrency payments.
To receive a decryptor or prevent stolendata from being publicly released, the
company claims to have conducted over2000 ransomware negotiations since 2017.
(09:20):
Bloomberg first reported last weekthat the DOJs investigating whether
the suspect was working with ransomwaregangs to negotiate payments, then
allegedly receiving a cot of theransom that was charged to the customer
The DOJ refused to comment whenBloomberg contacted them last week.
From my perspective, ransomnegotiation as an industry was
(09:43):
always ethically challenging.
Some ransomware operators, such as GaN Caband Reeval even created special discount
codes and chat interfaces specificallydesigned for these type of firms to
receive a discount on the ransom demand.
Some vendors in the ransomwarenegotiation space have been critical
of others who don't use a fixedfee structure with those that don't
(10:06):
use that fixed fee structure, oftenlending themselves to potential abuse.
As always, stay skeptical and staypatched, and yesterday was a good day to
start doing fourth party breach tabletops.
We're always interested in youropinion, and you can contact us at
editorial@technewsday.ca or leavea comment under the YouTube video.
(10:29):
I've been your host, DavidShipley, sitting in for Jim Love,
who will be back on Wednesday.
Thanks for listening.
I.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.