company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO

Application Security Engineer

DevsecOps Engineer

IT Manager

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

Apple

iOS 15

Zero-Day

loading..
loading..
loading..

Apple yet again failed to patch iOS Zero-Day Vulnerability reported earlier this year, dumped

Multiple iOS Zero-Day Vulnerabilities were reported many times by security researchers under Apple's bug bounty program, arguably failed to get fixed and...

24-Sep-2021
3 min read

No content available.

Related Articles

loading..

Social Engineering

M&S confirms a massive ransomware attack began with a social engineering breach,...

Marks & Spencer (M&S), one of the UK’s largest retailers, has confirmed that a sophisticated social engineering attack was the initial vector for a major ransomware incident in April 2025. The breach, attributed to the DragonForce ransomware group, resulted in the encryption of critical systems and the theft of approximately 150GB of sensitive data. The attack underscores the growing threat of impersonation tactics and the risks associated with third-party service providers[1]. ## How the Attack Unfolded ### Sophisticated Impersonation - The breach began on April 17, 2025, when attackers impersonated an M&S employee to trick a third-party help desk into resetting a password. - The attackers used detailed personal information to convincingly pose as a legitimate staff member, a method described by M&S chairman Archie Norman as “sophisticated impersonation.” - The third-party involved was Tata Consultancy Services, which provides IT help desk support for M&S. Tata is believed to have been manipulated into resetting the password, granting attackers access to the M&S network[1]. ### Entry to Ransomware Deployment - Once inside, the attackers deployed DragonForce ransomware, a group believed to operate out of Asia but distinct from the similarly named hacktivist group “DragonForce Malaysia.” - The attack was linked to threat actors associated with Scattered Spider, who have a history of leveraging social engineering for initial access[1]. ## Impact and Response ### Double-Extortion Tactics - The ransomware encrypted numerous VMware ESXi servers, disrupting M&S operations. - Approximately 150GB of data was stolen, with the attackers threatening to publish the data if a ransom was not paid—a classic double-extortion approach. - M&S proactively shut down all systems to contain the attack, but the encryption and data theft had already occurred[1]. ### Ransom Negotiations - M&S leadership decided not to engage directly with the attackers, instead relying on professional ransomware negotiators. - When questioned about ransom payments, M&S declined to provide details, citing public interest and ongoing cooperation with the National Crime Agency (NCA) and authorities. - As of the latest update, the stolen data has not appeared on DragonForce’s leak site, suggesting either a ransom was paid or negotiations are ongoing[1]. ## Key Lessons and Security Implications ### Third-Party and Social Engineering Risks - The attack highlights the vulnerability of large organizations to social engineering, especially when third-party vendors are involved in critical support roles. - Even with advanced technical defenses, human factors and supply chain partners remain a significant risk vector. ### Ransomware Trends - DragonForce’s use of double-extortion tactics is now standard among major ransomware groups. - The incident demonstrates the importance of rapid response, professional negotiation, and transparent communication with authorities. ## Conclusion The M&S ransomware attack is a stark reminder that even the most established organizations are vulnerable to social engineering and third-party risks. As attackers refine their impersonation techniques and target supply chain partners, businesses must strengthen both technical and human defenses, ensure robust vendor management, and prepare for the complexities of modern ransomware response[1]. [1] https://www.bleepingcomputer.com/news/security/mands-confirms-social-engineering-led-to-massive-ransomware-attack/ [1] https://www.bleepingcomputer.com/news/security/mands-confirms-social-engineering-led-to-massive-ransomware-attack/

loading..   10-Jul-2025
loading..   3 min read
loading..

Android

Anatsa Android banking trojan infiltrates Google Play, hits 90k US/Canada users ...

The **Anatsa (a.k.a. TeaBot)** Android banking trojan has launched its first large-scale campaign in the United States and Canada, hiding inside a popular “Document Viewer – File Reader” app on Google Play. The dropper accumulated roughly **90,000 installs in six weeks** before Google removed it, providing attackers with a foothold to steal credentials, keylog sessions, and automate fraudulent transactions against a broadened list of North American financial apps. ThreatFabric analysts say the campaign mirrors five earlier European waves, yet shows a sharper focus on U.S. institutions and improved evasion tactics, such as deceptive maintenance overlays that mask fraud in real-time. ## Anatsa at a Glance | Attribute | Details | |-----------|---------| | First seen | 2020 | | Aliases | TeaBot, Toddler | | Primary vector | Google Play droppers (PDF, QR, cleaner, file viewers) | | Targets | 650+ banking/finance apps worldwide | | Capabilities | Credential overlays, Accessibility abuse, Keylogging, On-device fraud (DTO) | Anatsa’s operators periodically pause distribution, refine the code, and then return with region-specific waves that quickly accumulate tens of thousands of installs before being taken down. ## Proven Five-Step Campaign Process ThreatFabric’s long-term telemetry shows each wave follows a consistent, **five-step pattern**: 1. **Developer profile creation** on Google Play. 2. **Legitimate utility app release** (e.g., PDF reader) to build trust and reviews. 3. **User-base growth** to reach Google Charts’ Top-Free lists, boosting visibility. 4. **Malicious update** that silently side-loads Anatsa via an external payload. 5. **Dynamic targeting**—the trojan fetches an updated list of banking package names from its C2, enabling on-the-fly expansion. This cyclic approach lets the gang bypass store vetting, exploit user ratings as social proof, and keep infections geographically tailored. ## How the North-American Dropper Worked The 2025 campaign’s dropper package **com.stellarastra.maintainer.astracontrol_managerreadercleaner** looked and behaved as a genuine file viewer until June 24. An update then added code that: * Requested **AccessibilityService** permission to automate taps. * Downloaded a second-stage DEX from the C2, loading the full Anatsa payload in memory. * Displayed a **“Scheduled Maintenance”** overlay whenever victims opened any targeted banking app—blocking calls to customer support while credentials were siphoned. ### Timeline of the U.S.–Canada Wave | Date | Milestone | |------|-----------| | 07 May 2025 | App first published on Google Play | | 29 Jun 2025 | Climbed to #4 in “Top Free – Tools” chart (US) | | 24-30 Jun 2025 | Malicious update pushed; active distribution window | | 01 Jul 2025 | Google removes app after ThreatFabric report | ## Rapid Growth of Anatsa Download Waves The North-American dropper continues a multi-year pattern of explosive install counts that outpace store defenses. ## Impacted Banking Apps and Fraud Techniques installed, Anatsa can: * **Harvest credentials** via WebView-based overlays that mimic sign-in pages. * **Intercept SMS 2FA codes** through granted accessibility hooks. * **Perform full Device-Takeover Fraud (DTO)**—initiating transfers directly from the victim’s handset to bypass behavioral analytics[6]. ThreatFabric observed **an expanded target list of U.S. institutions**, including tier-1 retail banks, credit unions, and investment apps, alongside Canadian banking brands. ## Why Tools-Category Apps Dominate Analysis by Zscaler shows **“Tools”** utilities account for 40% of droppers because they plausibly request powerful permissions (storage, accessibility) without raising suspicion. ## Google Play’s Unresolved Malware Gap Google’s policy requires any app asking for AccessibilityService to justify the need, yet Anatsa operators still bypass vetting by shipping **clean version 1.0** and weaponizing the first update—a tactic that evades automated static analysis and most manual reviews[3]. Until store workflows verify **runtime behavior** and cross-check update diffs, high-download droppers will continue to pose a recurring threat vector. ## Indicators of Compromise & Mitigation **IOC Highlights (July 2025 wave)** - Malicious PDF update domain: `menusand.com` - C2 API endpoint: `185.215.113.31:85/api` - Package name: `com.stellarastra.*reader*cleaner` **Recommended Actions for Enterprises** 1. **Block known IOCs** at MDM and network layers. 2. **Harden mobile apps** with root/jailbreak detection, certificate pinning, and overlay protection. 3. **Leverage Play Integrity API** to spot modified or repackaged environments. 4. **Deploy behavioral fraud analytics** capable of detecting DTO patterns (e.g., anomalous device biometrics, impossible timing). 5. **Educate customers**: limit installs to trusted vendors, revoke unnecessary permissions, enable Play Protect scans. ## Strategic Take-aways for Banks & Developers | Risk Driver | Strategic Response | |-------------|-------------------| | Dropper stealth via staged updates | Continuous mobile-app telemetry, store-update diff scanning | | Accessibility abuse for DTO | In-app detection of suspicious accessibility events; enforce step-up verification | | Overlay credential theft | Implement secure keyboard frameworks and deep-link sign-in to thwart overlays | | Geo-targeted target lists | Monitor for sudden spikes in fraud from specific mobile OS versions or locales | | Store takedown lag | Maintain threat-intel feeds and warn users faster than official store actions | The latest **Anatsa incursion into North America** underscores the persistent gap between official-store defenses and agile malware operators.

loading..   09-Jul-2025
loading..   4 min read
loading..

Ingram

Safepay

SafePay ransomware cripples Ingram Micro's global operations, disrupting IT supp...

The technology distribution giant Ingram Micro confirmed on July 6, 2025, that it had fallen victim to a sophisticated ransomware attack by the rapidly emerging SafePay cybercriminal group, marking one of the most significant supply chain disruptions in the IT industry this year. The attack, which began on July 3, has crippled the company's global operations, leaving thousands of managed service providers (MSPs), resellers, and enterprise customers unable to access critical services, place orders, or manage software licenses. ## Attack Timeline: From Breach to Crisis The Ingram Micro incident unfolded over five critical days, escalating from an initial security breach to a full-scale operational crisis that exposed the vulnerability of global IT supply chains. ### July 3: Initial Detection The attack was first detected at approximately 8:00 AM Eastern Time on July 3, 2025, when Ingram Micro's security monitoring systems identified anomalous network activity[1][4]. By this time, SafePay ransomware had already begun encrypting critical internal systems and deploying ransom notes across employee devices[1][5]. ### July 4: System Shutdown As the extent of the breach became clear, Ingram Micro proactively took key systems offline, including its flagship AI-powered Xvantage distribution platform and the Impulse license provisioning system[1][6][7]. The company's websites went dark, displaying only maintenance messages, while customer portals became completely inaccessible[6][8]. ### July 5-6: Communication Crisis The company's initial silence sparked widespread frustration among partners and customers. MSPs reported being unable to serve their clients, while resellers found themselves locked out of ordering systems during critical end-of-quarter sales periods. One SP500 company CEO told CRN: _"This is our worst nightmare come true. If we can't place orders or get quotes, it stops our business"_. ### July 6: Official Confirmation After three days of speculation, Ingram Micro officially confirmed the ransomware attack in a brief statement: _"Ingram Micro recently identified ransomware on certain of its internal systems. Promptly after learning of the issue, the Company took steps to secure the relevant environment, including proactively taking certain systems offline"_. ## SafePay Ransomware: Rapid Rise of a New Threat The attack on Ingram Micro represents the latest high-profile victim of SafePay, a ransomware group that has experienced meteoric growth since its emergence in September 2024. ### From Obscurity to Market Leader SafePay's trajectory has been remarkable in the ransomware landscape. Starting with just 5 victims in September 2024, the group rapidly scaled its operations, reaching a peak of 70 attacks in May 2025 and claiming the #1 position among active ransomware groups. This growth occurred despite—or perhaps because of—the disruption of major ransomware operations like LockBit and ALPHV in 2024. ### Unique Operational Model Unlike most modern ransomware groups that operate under a Ransomware-as-a-Service (RaaS) model, SafePay maintains direct control over its operations. The group explicitly states on its dark web leak site: _"SAFEPAY RANSOMWARE HAS NEVER PROVIDED AND DOES NOT PROVIDE THE RAAS"_. This approach offers better operational security but limits scalability compared to affiliate-based models. ### Double-Extortion Tactics SafePay employs sophisticated double-extortion techniques, stealing sensitive data before encrypting systems and threatening public disclosure if ransom demands are not met. The group's ransom note to Ingram Micro stated: _"We are the ones who can correctly decrypt your data and restore your infrastructure,"_ demanding payment within seven days. ## Technical Attack Vector: GlobalProtect VPN Vulnerability Security researchers believe the Ingram Micro breach originated through the company's GlobalProtect VPN platform, highlighting persistent vulnerabilities in enterprise VPN solutions. ### Exploitation of Network Misconfigurations In their ransom note, SafePay claimed that Ingram Micro's _"IT specialists made a number of mistakes in setting up the security of your corporate network," allowing the attackers to maintain persistent access for an extended period. The group characterized the breach as "_ a paid training session for your system administrators"_. ### Systemic VPN Vulnerabilities The attack underscores broader concerns about VPN security in enterprise environments. Multiple critical vulnerabilities in Palo Alto Networks' GlobalProtect have been disclosed in 2025, including [CVE-2025-0120](https://nvd.nist.gov/vuln/detail/CVE-2025-0120), CVE-2025-0117, and CVE-2025-0133. These flaws have enabled privilege escalation, credential theft, and remote code execution in various configurations. ## Supply Chain Paralysis The Ingram Micro attack has created unprecedented disruption across the global IT supply chain, affecting multiple stakeholder groups with varying degrees of severity. ### MSPs Bear the Brunt Managed Service Providers have experienced the most severe impact, with many unable to serve their clients effectively. The disruption has prevented MSPs from managing Microsoft 365 licenses, provisioning software, and accessing critical backup systems. Stanley Louissaint, founder of New Jersey-based MSP Fluid Designs, described the situation: _"The biggest issue in this situation isn't even the attack itself. It's the lack of openness and communication"_. ### Reseller Operations Halted Technology resellers worldwide have been unable to place orders for hardware and software, disrupting sales cycles and customer deliveries. The timing coincided with end-of-quarter sales periods, amplifying the financial impact for many partner organizations. ### Global Operations Affected Ingram Micro's global reach—spanning 200 countries with 24,000 employees and $48 billion in annual revenue—means the disruption has had worldwide implications. Regional operations in the Middle East, Europe, and Asia-Pacific have all reported significant impacts. ### Financial Implications Based on Ingram Micro's Q1 2025 revenue of $12.3 billion, the company generates approximately $137 million in daily revenue. Conservative estimates suggest the ongoing outage could result in daily losses of $5-15 million, potentially reaching $50-200 million for an extended disruption. ## Industry Response and Customer Migration The prolonged outage has prompted customers to seek alternative suppliers, highlighting the concentration risk in the IT distribution market. ### Competitors Gain Ground Major competitors like TD Synnex have reportedly seen increased inquiry volumes as Ingram Micro customers seek alternative sourcing options. Some organizations have proactively reached out to alternative distributors to maintain business continuity during the outage. ### Communication Failures Compound Impact Industry observers have criticized Ingram Micro's initial communication strategy. The company remained silent for nearly three days, providing only generic _"technical difficulties"_ messages while customers and partners struggled with service disruptions. This communication vacuum amplified customer frustration and uncertainty. ### Broader Supply Chain Vulnerabilities The incident has highlighted the systemic risks associated with supply chain concentration. A recent ISACA survey found that 73% of IT professionals consider ransomware the top supply chain risk, with 52% of organizations having experienced supply chain compromises.

loading..   07-Jul-2025
loading..   6 min read