MSP cybersecurity news digest, July 14, 2025

Ingram Micro suffered a major ransomware attack attributed to the SafePay operation just before the July 4th holiday, resulting in a global outage that disrupted internal systems and halted online ordering.

The breach was discovered on July 3, when employees found ransom notes on their devices, though it remains unclear whether data was encrypted or stolen. The attackers are believed to have accessed Ingram Micro’s network via compromised credentials used on the company’s GlobalProtect VPN, prompting the shutdown of VPN access and a shift to remote work. Critical platforms like Xvantage and Impulse were impacted, while tools such as Microsoft 365 and Teams remained functional. On July 6, the company confirmed the ransomware incident, stating that it had taken systems offline and engaged cybersecurity experts to investigate. By July 8, Ingram Micro had restored partial services, including order processing via phone and email in numerous countries across North America, Europe and Asia. A company-wide reset of passwords and multifactor authentication was performed, and VPN access is being gradually restored.

While Ingram Micro has not officially named the threat actor, ransom notes discovered on employee devices point to SafePay, a ransomware group that has been active since late 2024 and claimed over 200 victims worldwide in 2025. The highest spike was in May, with 72 victims.

For the first time in 2025, Microsoft’s Patch Tuesday included no fixes for actively exploited zero-days, though one publicly known vulnerability was addressed. This update patched 130 Microsoft flaws and 10 third-party CVEs affecting Visual Studio, AMD and Edge, with 10 rated critical.

A key concern is CVE-2025-49719, an SQL Server flaw that could leak uninitialized memory and potentially expose sensitive data like cryptographic keys or credentials. The most severe bug, CVE-2025-47981, is a remote code execution vulnerability in Windows SPNEGO NEGOEX, carrying a CVSS score of 9.8, and is considered capable of self-propagation across networks. Researchers warned that it requires no authentication, only network access and could lead to WannaCry-like malware.

Other notable flaws affect Windows KDC Proxy, Hyper-V, Microsoft Office and five BitLocker bypasses exploitable with physical access. These BitLocker flaws allow attackers to retrieve encrypted data by loading a modified recovery environment. Lastly, July 8, 2025, marks the end of support for SQL Server 2012, which will no longer receive security patches.

Attackers are abusing the red teaming tool Shellter to spread stealer malware such as Lumma Stealer, Rhadamanthys and SectopRAT. The exploitation began after a licensed copy of Shellter Elite was leaked, prompting malicious actors to repurpose it for infostealer campaigns.

Despite Shellter’s strict vetting process, version 11.0 of Shellter Elite was reportedly weaponized shortly after its release in April 2025. The malware campaigns use polymorphic obfuscation and self-modifying shellcode to evade detection by embedding malicious code within legitimate programs. Some attackers used social engineering tactics, including YouTube videos offering fake game cheats and sponsorships, to lure victims.

Shellter's developers released an update to address the issue and criticized Elastic Security Labs for not warning them promptly about the misuse. Elastic reported observing this abuse starting in late April and defended its decision, citing a commitment to transparency and responsible research. This incident mirrors past cases where legitimate security tools like Cobalt Strike were similarly hijacked by cybercriminals.

Researchers have uncovered a malicious campaign that uses SEO poisoning to spread the Oyster malware loader through fake sites mimicking tools like PuTTY and WinSCP.

These trojanized downloads install the Oyster backdoor and use DLL-based persistence mechanisms to maintain access. The attackers exploit black hat SEO to promote malicious links tied to AI keywords, delivering malware like Vidar, Lumma and Legion Loader. JavaScript on these fake sites gathers browser data and redirects users to phishing pages hosting malicious ZIP files. Other campaigns spoof tech support pages of major brands, injecting fake phone numbers into real sites via search parameter tricks. Additionally, fake Facebook ads targeting crypto users and Pi Network fans distribute infostealing malware.

The Dark Partners group is linked to Poseidon Stealer on macOS and PayDay Loader on Windows, using tools like Google Calendar and npm packages for delivery. Finally, large-scale fraud networks buy ad space to promote fake online stores, disappearing after a few days to avoid detection.

Researchers uncovered over 17,000 fake news websites — dubbed baiting news sites (BNS)—used to lure users into investment scams across 50 countries. These sites mimic trusted media brands like CNN or BBC, spreading false stories about public figures endorsing passive income schemes to build credibility.

Victims are driven to these pages through sponsored ads on Google, Meta and blogs, then redirected to scam platforms like Trap10 or Solara Vynex. Once engaged, users receive follow-up calls from fake advisors who request ID documents and crypto deposits, delaying withdrawals under the guise of "verification." Researchers found many BNS hosted on cheap domains or hidden within hacked websites, often localized with familiar language, logos and influencers to improve success. These operations not only steal money but harvest personal data for identity theft and future phishing attempts.

In separate research, a 19-fold increase has been observed in phishing campaigns using Spain’s .es domain, making it the third most abused TLD after .com and .ru. Since January, over 1,300 malicious subdomains have been hosted on 447 .es domains, with 99% of them focused on credential phishing, mostly impersonating Microsoft. These attacks often use well-crafted emails themed around workplace topics and rely on randomly generated subdomains to evade detection. Many malicious pages are hosted on Cloudflare using Turnstile CAPTCHAs and .es domains, suggesting that cybercriminal groups are increasingly leveraging fast deployment tools at scale rather than acting as isolated operators.