Cyber Intelligence Briefing: 11 July 2025. IT giant Ingram Micro confirms service outage was due to ransomware attack

Assured’s CISO reacts:

SafePay gained entry through compromised credentials in Ingram’s GlobalProtect VPN, likely via password‑spraying: broad attempts to guess corporate credentials against VPN/RDP endpoints. After VPN access, SafePay has been known to gain domain access after 26 days, with the first 25 days being largely dormant, possibly due to the availability of internal resources. They are known to use a workstation called WIN-3IUUOFVTQAR with heavy use of tools like Mimikatz to harvest credentials and exploit remote admin tools before using SharpShares to identify accessible file shares and WinRAR to compress the collected data. Finally, deploying a modified LockBit 2022 ransomware strain to encrypt data in addition to deleting Volume Shadow Copies (VSC), all to inhibit recovery activities.

Since their appearance in November 2004, their activity has increased, reaching a peak in May and June 2025. They seem to focus on Germany and the US, using double extortion (encryption and data theft) in most cases. Here are some of the steps you can take specific to SafePay TTPs:

1. M1030) Multi-Factor Authentication (MFA):

• Prevents: VPN/RDP access using stolen credentials.
• Enforce MFA for all external access:
  • Intune policy that restricts VPN and RDP clients to Azure AD–joined, compliant devices. In Conditional Access:
    • Grant -> Require MFA + Device Compliance
  • Implement IP-based pre-auth geofencing: In App Protection policy, define allowed VPN RDP IP ranges; block access outside trusted networks.

2. M1027) Account Use Restrictions:

• Mitigates: Attacker use of local admin accounts and tunneling.
• Restrict RDP logons:
  • Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → Deny log on through Remote Desktop Services: add non-admins and third-party service accounts.
  • Disable local account network logon:
    • Deny access to this computer from the network: Include all standard user and service accounts.

3. M1042) Execution Prevention via AppLocker:

• Blocks: Use of WinRAR, FileZilla, and untrusted scripts
• Create DLL, EXE, and Script rules:
  • Only allow digitally signed or from approved paths. Explicitly deny %PROGRAMFILES%\WinRAR\rar.exe, %PROGRAMFILES%\FileZilla\filezilla.exe, and .ps1 except from a secure admin share.
  • Enforce audit mode, then enforcing mode once safe. Copy rules:

4. M1056) Restrict Admin Tools & Adjust Privileges:

• Counters: UAC bypass and privilege escalation.
• Remove UAC COM object execution: 
  • Set registry under HKLM\SOFTWARE\Microsoft\COM3\ ... to disable elevation through specific CLSIDs SafePay uses.
  • Remove SeDebugPrivilege: Computer Configuration → Windows Settings → Security Settings → Local Policies → User Rights Assignment → Deny access to this computer from the network for required roles and remove debug privilege from Service Accounts.

5. M1037) Endpoint Detection & Response (EDR):

• Detects: Defensive tampering, lateral scripts, credential dumping.
• Enable Attack Surface Reduction (ASR) rules:
  • RuleId for Powershell: block or audit script scanning tools like ShareFinder.ps1
  • ASR for suspicious: BlockProcessCreationPrevention (for WinRAR, FileZilla).
  • Custom EDR alerts: monitor registry/GUI changes in Defender settings and detection of process hollowing (RunPE) or Mimikatz. Target command lines using zwterminateprocess.

6. M1035) Data Protection:

• Blocks: Exfiltration and encryption at source.
• Enable Attack Surface Reduction (ASR) rules:
  • Set DLP policy for .safepay filetype and WinRAR/FileZilla outbound actions: block if archive operations detected to FTP/SFTP.
  • Implement file tamper protection: Windows Information Protection (WIP), so protected directories cannot be re-encrypted or shadow copies removed without admin approval.
  • xmlCopyEdit<RuleCollection Type="Exe" EnforcementMode="Enabled">   <FilePathRule Id="..." Action="Deny">     <Path>%PROGRAMFILES%\WinRAR\*.exe</Path>  </FilePathRule>  ...</RuleCollection>

Assured’s CISO reacts:

It’s been reported that unauthorised access to internal databases on Flutter’s Exchange platform. Investigation shows this has disclosed up to 800k customers’ data such as: usernames, email addresses, contact information, the first line of home addresses, town or city of residence, IP addresses, device identifiers, and recent activity on the betting platforms. In terms of scale, 800k is a large percentage of their 4.2m average monthly users. Flutter have contacted the affected individuals, reinforcing that passwords, ID documents and payment details, were not accessed by the cyber attackers.

This follows a historic incident: in 2014 Paddy Power admitted years after the event, an unauthorised exfiltration of 649k customer records from accounts pre-2010, containing names, usernames, addresses, email addresses, phone contact numbers, date of birth, and security question and answer pairs. There was a published statement of Paddy Power patching the vulnerabilities.

If the breach was related to an open cloud storage such as a publicly exposed S3 bucket in AWS, this risk can be well mitigated with code reviews and tests within the devops pipeline and strong discovery and alerting via a cloud security posture management (CSPM) solution, able to correlate personal details with open rules.

1. Identity and Access Management (IAM):

• Enforce MFA for all IAM users and federated identities.
•  Replace IAM users with roles and temporary credentials.
•  UseIAM Access Analyzer to identify over-permissive policies.
  • ConfigRule:
    name: iam-policy-no-wildcards
    source:
    owner: AWS
    sourceIdentifier: IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS
    scope:
    complianceResourceTypes:
    – AWS::IAM::Policy
•  Audit and minimize service-linked roles and cross-account access.
•  Apply permission boundaries to restrict delegated role creation.
•  Use session tags for access condition enforcement.

2. Data Storage and Access Control:

• Enable S3 Block Public Access at the account and bucket level.
  • ConfigRule:
    name: s3-bucket-public-read-prohibited
    source:
    owner: AWS
    sourceIdentifier: S3_BUCKET_PUBLIC_READ_PROHIBITED
    scope:
    complianceResourceTypes:
    – AWS::S3::Bucket
•  Apply S3 bucket policies to deny access from outside trusted IPs or VPCs.
•  Enable Object Lock for write-once S3 logs.
•  Enable encryption at rest using AWS KMS CMKs.
•  Use VPC endpoints for private access to S3/DynamoDB.
• RDS not publicly accessible:
  • ConfigRule:
    name: rds-instance-public-access-check
    source:
    owner: AWS
    sourceIdentifier: RDS_INSTANCE_PUBLIC_ACCESS_CHECK
    scope:
    complianceResourceTypes:
    – AWS::RDS::DBInstance

3. DevOps Pipeline Security:

• Integrate IaC scanning tools like Checkov/tfsec into CI/CD.
•  Require peer reviews for infrastructure changes (Terraform/CloudFormation).
•  Use Git pre-commit hooks to scan for secrets (e.g., TruffleHog, GitLeaks).
•  Enforce code signing or artifact attestation for releases.

4. Monitoring and Detection:

• Enable AWS CloudTrail in all regions, aggregate centrally.
•  Enable CloudTrail Insights to detect anomalies.
•  Configure GuardDuty for anomaly and threat detection.
  • ConfigRule
    name: guardduty-enabled-central
    source:
    owner: AWS
    sourceIdentifier: GUARDDUTY_ENABLED_CENTRAL
•  Collect VPC Flow Logs for sensitive resources (databases, NAT gateways).
•  Deploy AWS Config with compliance rules and remediation.