Ingram Micro Suffers Ransomware Attack Orchestrated by SafePay Group
In early July 2025, global IT distributor Ingram Micro experienced a significant ransomware attack that forced major portions of its infrastructure offline and led to a week of operational disruptions. The attack has highlighted emerging threat group dynamics and the impact on critical supply chain operations across the IT industry.
Incident Overview and Impact
Ingram Micro confirmed that its business operations were affected by a ransomware event, resulting in extended downtime for online ordering and other pivotal business services. The outage began in early July and lasted nearly a week, impacting customers worldwide. Business operations, including online ordering systems, were fully restored by July 10.
Threat Actor Profile: SafePay
The ransomware attack was attributed to the SafePay hacker group, notable for deviating from the common ransomware-as-a-service (RaaS) model. SafePay’s approach involves tightly controlled operations rather than distributing attack kits broadly to affiliates, making detection and defense more difficult. Cybersecurity analysts suggest this makes SafePay’s attacks more targeted, sophisticated, and resilient to traditional disruption methods.
Response and Recovery Actions
Ingram Micro quickly mobilized incident response protocols, involving both internal and external cybersecurity experts. The company restored business-critical functions in phases and undertook a detailed forensic review to assess the impact and bolster future defenses. While the organization has not confirmed the payment of ransom, ongoing investigations will determine the full extent of data access or exfiltration during the incident.
Wider Implications
The event illustrates the growing risks posed by ransomware groups that shun the RaaS ecosystem, emphasizing a trend toward more sophisticated, self-operated threat entities. Large IT service providers and distributors with interconnected supply chains remain high-value targets for these evolving actors, increasing the potential for cascading industry-wide disruptions.
Microsoft SharePoint “ToolShell” Zero-Day Exploit Campaign Expands Globally
An active and growing wave of cyberattacks is targeting on-premises Microsoft SharePoint servers through exploitation of an undisclosed zero-day vulnerability, tracked by researchers as the “ToolShell” campaign. Since early July 2025, hundreds of organizations, including government agencies, telecom firms, and the software sector across North America and Europe, have fallen victim to these attacks.
Technical Analysis of the Zero-Day
The critical SharePoint vulnerability was first exploited on July 7, with attack intensity rising through the middle of July. By July 23, security experts had confirmed more than 400 successful compromises. The exploit enables unauthenticated remote code execution, granting attackers the ability to deploy custom malware (including the ToolShell backdoor) and escalate access to critical internal systems.
Adversary Attribution and Tactics
Attribution efforts point to multiple China-based threat actors: Linen Typhoon, Violet Typhoon, and Storm-2603. Attack sources have been traced through several IP addresses, some of which have known historical activity in previous high-profile exploits. The attackers are exploiting the vulnerability to gain persistent, covert footholds within victim environments for extended intelligence collection and possible lateral movement.
Signals of Ongoing Campaigns and Government Impact
The campaign initially struck a major Western government with activity rapidly expanding to the private sector. U.S. federal agencies, including the Department of Energy, have acknowledged minimal impacts, but concerns persist that unpatched SharePoint installations in critical sectors remain at immediate risk.
Urgent Mitigations and Response Guidance
Security experts advise immediate patching and thorough network segmentation for organizations operating on-premises SharePoint infrastructure. Microsoft and other security vendors have issued urgent advisories, emphasizing that attackers are incorporating new variants of the toolset and are likely to continue exploiting unremediated systems in coming weeks.
Critical Cisco ISE Vulnerabilities Permit Pre-Authentication Command Execution
Network administrators are racing to deploy emergency patches after two maximum-severity vulnerabilities were disclosed in Cisco’s Identity Services Engine (ISE) and ISE-Passive Identity Connector (PIC), allowing attackers to achieve unauthenticated remote code execution and full system compromise on exposed systems.
Technical Details of the Flaws
The vulnerabilities, identified as CVE-2025-20337 (among others), stem from improper input validation and insecurely exposed APIs in the authentication logic of ISE and PIC. Exploitation enables a remote attacker to upload arbitrary files, execute commands of their choosing—including those granting root access—and subsequently control the entire access policy infrastructure.
Potential Impact and Threat Landscape
Cisco ISE is a core component of large-scale enterprise access control, identity management, and network enforcement architecture. Successful exploitation could permit an attacker to override internal security policies, propagate malware, or disrupt authentication services for thousands of users within affected organizations. No workarounds are available, increasing the urgency of patch application.
Mitigation Steps and Recommendations
Cisco has issued a high-priority patch and is advising immediate deployment. Organizations are urged to inventory all ISE deployments, verify public network exposure, and apply the latest security updates at the earliest possible opportunity to prevent exploitation in the wild.
Co-op Data Breach Update: Four Arrested in Devastating Retail Cyberattack Case
The Co-op UK retailer has released new details on the April 2025 cyberattack that compromised sensitive member data and led to operational disruptions, as four suspects have now been arrested in connection with the persistent attack.
Incident Review and Data Exposure
The breach, impacting all 6.5 million Co-op members, exposed extensive personal information including names, addresses, and contact details. Despite the significant data compromise, the company confirmed that payment information and financial account details were not impacted. However, the breach did cause notable supply chain and payment system interruptions across its businesses.
Law Enforcement Response
Four individuals aged 17–20 were apprehended on July 10 under blackmail, money laundering, and Computer Misuse Act charges. The suspects are believed to have attempted extortion by leveraging the stolen data during or after the attack. The UK’s cybercrime and organized crime units led the investigation, responding swiftly to the critical retail infrastructure event.
Ongoing Security Enhancements
The Co-op has since worked to rebuild its cybersecurity posture, investing in advanced defense capabilities and launching initiatives aimed at recruiting and developing young cybersecurity talent to help safeguard similar retail systems in the future.
