company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO

Application Security Engineer

DevsecOps Engineer

IT Manager

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

Minecraft

Chaos

Gamer

loading..
loading..
loading..

Chaos Ransomware variant lures victims while masked as Minecraft alt list

Chaos ransomware variant targeting Japanese Minecraft players encrypt files only less than 2MB and destroys the rest despite paying the ransom...

30-Oct-2021
3 min read

No content available.

Related Articles

loading..

Ingram

Safepay

SafePay ransomware cripples Ingram Micro's global operations, disrupting IT supp...

The technology distribution giant Ingram Micro confirmed on July 6, 2025, that it had fallen victim to a sophisticated ransomware attack by the rapidly emerging SafePay cybercriminal group, marking one of the most significant supply chain disruptions in the IT industry this year. The attack, which began on July 3, has crippled the company's global operations, leaving thousands of managed service providers (MSPs), resellers, and enterprise customers unable to access critical services, place orders, or manage software licenses. ## Attack Timeline: From Breach to Crisis The Ingram Micro incident unfolded over five critical days, escalating from an initial security breach to a full-scale operational crisis that exposed the vulnerability of global IT supply chains. ### July 3: Initial Detection The attack was first detected at approximately 8:00 AM Eastern Time on July 3, 2025, when Ingram Micro's security monitoring systems identified anomalous network activity[1][4]. By this time, SafePay ransomware had already begun encrypting critical internal systems and deploying ransom notes across employee devices[1][5]. ### July 4: System Shutdown As the extent of the breach became clear, Ingram Micro proactively took key systems offline, including its flagship AI-powered Xvantage distribution platform and the Impulse license provisioning system[1][6][7]. The company's websites went dark, displaying only maintenance messages, while customer portals became completely inaccessible[6][8]. ### July 5-6: Communication Crisis The company's initial silence sparked widespread frustration among partners and customers. MSPs reported being unable to serve their clients, while resellers found themselves locked out of ordering systems during critical end-of-quarter sales periods. One SP500 company CEO told CRN: _"This is our worst nightmare come true. If we can't place orders or get quotes, it stops our business"_. ### July 6: Official Confirmation After three days of speculation, Ingram Micro officially confirmed the ransomware attack in a brief statement: _"Ingram Micro recently identified ransomware on certain of its internal systems. Promptly after learning of the issue, the Company took steps to secure the relevant environment, including proactively taking certain systems offline"_. ## SafePay Ransomware: Rapid Rise of a New Threat The attack on Ingram Micro represents the latest high-profile victim of SafePay, a ransomware group that has experienced meteoric growth since its emergence in September 2024. ### From Obscurity to Market Leader SafePay's trajectory has been remarkable in the ransomware landscape. Starting with just 5 victims in September 2024, the group rapidly scaled its operations, reaching a peak of 70 attacks in May 2025 and claiming the #1 position among active ransomware groups. This growth occurred despite—or perhaps because of—the disruption of major ransomware operations like LockBit and ALPHV in 2024. ### Unique Operational Model Unlike most modern ransomware groups that operate under a Ransomware-as-a-Service (RaaS) model, SafePay maintains direct control over its operations. The group explicitly states on its dark web leak site: _"SAFEPAY RANSOMWARE HAS NEVER PROVIDED AND DOES NOT PROVIDE THE RAAS"_. This approach offers better operational security but limits scalability compared to affiliate-based models. ### Double-Extortion Tactics SafePay employs sophisticated double-extortion techniques, stealing sensitive data before encrypting systems and threatening public disclosure if ransom demands are not met. The group's ransom note to Ingram Micro stated: _"We are the ones who can correctly decrypt your data and restore your infrastructure,"_ demanding payment within seven days. ## Technical Attack Vector: GlobalProtect VPN Vulnerability Security researchers believe the Ingram Micro breach originated through the company's GlobalProtect VPN platform, highlighting persistent vulnerabilities in enterprise VPN solutions. ### Exploitation of Network Misconfigurations In their ransom note, SafePay claimed that Ingram Micro's _"IT specialists made a number of mistakes in setting up the security of your corporate network," allowing the attackers to maintain persistent access for an extended period. The group characterized the breach as "_ a paid training session for your system administrators"_. ### Systemic VPN Vulnerabilities The attack underscores broader concerns about VPN security in enterprise environments. Multiple critical vulnerabilities in Palo Alto Networks' GlobalProtect have been disclosed in 2025, including [CVE-2025-0120](https://nvd.nist.gov/vuln/detail/CVE-2025-0120), CVE-2025-0117, and CVE-2025-0133. These flaws have enabled privilege escalation, credential theft, and remote code execution in various configurations. ## Supply Chain Paralysis The Ingram Micro attack has created unprecedented disruption across the global IT supply chain, affecting multiple stakeholder groups with varying degrees of severity. ### MSPs Bear the Brunt Managed Service Providers have experienced the most severe impact, with many unable to serve their clients effectively. The disruption has prevented MSPs from managing Microsoft 365 licenses, provisioning software, and accessing critical backup systems. Stanley Louissaint, founder of New Jersey-based MSP Fluid Designs, described the situation: _"The biggest issue in this situation isn't even the attack itself. It's the lack of openness and communication"_. ### Reseller Operations Halted Technology resellers worldwide have been unable to place orders for hardware and software, disrupting sales cycles and customer deliveries. The timing coincided with end-of-quarter sales periods, amplifying the financial impact for many partner organizations. ### Global Operations Affected Ingram Micro's global reach—spanning 200 countries with 24,000 employees and $48 billion in annual revenue—means the disruption has had worldwide implications. Regional operations in the Middle East, Europe, and Asia-Pacific have all reported significant impacts. ### Financial Implications Based on Ingram Micro's Q1 2025 revenue of $12.3 billion, the company generates approximately $137 million in daily revenue. Conservative estimates suggest the ongoing outage could result in daily losses of $5-15 million, potentially reaching $50-200 million for an extended disruption. ## Industry Response and Customer Migration The prolonged outage has prompted customers to seek alternative suppliers, highlighting the concentration risk in the IT distribution market. ### Competitors Gain Ground Major competitors like TD Synnex have reportedly seen increased inquiry volumes as Ingram Micro customers seek alternative sourcing options. Some organizations have proactively reached out to alternative distributors to maintain business continuity during the outage. ### Communication Failures Compound Impact Industry observers have criticized Ingram Micro's initial communication strategy. The company remained silent for nearly three days, providing only generic _"technical difficulties"_ messages while customers and partners struggled with service disruptions. This communication vacuum amplified customer frustration and uncertainty. ### Broader Supply Chain Vulnerabilities The incident has highlighted the systemic risks associated with supply chain concentration. A recent ISACA survey found that 73% of IT professionals consider ransomware the top supply chain risk, with 52% of organizations having experienced supply chain compromises.

loading..   07-Jul-2025
loading..   6 min read
loading..

NetScaler

Citrix NetScaler security patch causes login issues due to new CSP settings. Lea...

Citrix has issued a critical security patch for NetScaler appliances to address two severe vulnerabilities, including the high-profile “CitrixBleed 2” flaw. However, the latest update has led to unexpected login failures for many organizations, with administrators reporting blank authentication pages and broken third-party integrations. This article explains the root cause, impact, and actionable solutions, while following on-page SEO best practices to ensure clarity and search visibility. ### What Changed in the Latest Citrix NetScaler Update? The July 2025 Citrix NetScaler patch addresses two major vulnerabilities: CVE-2025-5777 (CitrixBleed 2), which allows session hijacking, and CVE-2025-6543, an actively exploited denial-of-service bug. With these fixes, Citrix also silently enabled a strict Content-Security-Policy (CSP) header by default on Gateway and AAA virtual servers. This security enhancement is designed to block malicious scripts and prevent cross-site scripting (XSS) attacks. ### Why Are Login Pages Failing After the Patch? Many organizations use custom authentication flows, third-party identity providers (IdPs) like DUO, Azure AD, Okta, or SAML, and legacy JavaScript on their NetScaler login pages. The newly enforced CSP header—specifically `default-src 'self'`—blocks any inline scripts or external resources not explicitly allowed. As a result, essential scripts for rendering login prompts or handling authentication are blocked by the browser, leading to blank or partially loaded login pages and failed authentication attempts. ### How to Fix NetScaler Login Issues After the Patch Citrix recommends a two-step workaround to restore access while maintaining security: 1. **Temporarily disable the default CSP header** using the following command: ``` set aaa parameter -defaultCSPHeader DISABLED save ns config flush cache contentgroup loginstaticobjects ``` This can also be done via the GUI under NetScaler Gateway > Global Settings > Change Authentication AAA Settings. 2. **Flush cached objects** to ensure the latest login resources are served. Administrators should retest the login portal after applying these changes. If problems persist, Citrix advises contacting support with the affected configuration. ### Security Trade-Offs While disabling the CSP header restores login functionality, it also reopens the client-side attack surface that the CSP was designed to protect. Organizations must weigh the immediate need for user access against the risk of XSS and other browser-based vulnerabilities. Citrix recommends disabling CSP only as a temporary measure and working toward a compliant, granular CSP policy that allows necessary scripts and resources without broadly reducing security. ### Long-Term Remediation Strategy - **Patch promptly** to eliminate the critical vulnerabilities exploited in the wild. - **Audit all custom authentication flows and scripts** used on NetScaler login pages. - **Develop a tailored CSP policy** that whitelists only required domains and scripts. - **Test and document** all changes to ensure future updates do not disrupt access. - **Terminate all active sessions** after applying the CitrixBleed 2 patch to prevent session token replay attacks. ### Security vs. Usability This incident highlights the ongoing challenge of balancing robust security controls with business continuity. The Citrix NetScaler update demonstrates how even well-intentioned security enhancements can disrupt critical workflows if not communicated and tested thoroughly. Administrators are urged to stay informed about vendor advisories and to proactively review custom integrations for compatibility with evolving security standards. The Citrix NetScaler patch for CitrixBleed 2 and related vulnerabilities is essential for protecting enterprise infrastructure from active threats. However, the introduction of a default CSP header has caused widespread login failures for organizations relying on custom or third-party authentication. By following Citrix’s recommended workaround and developing a long-term CSP strategy, administrators can restore access while maintaining a strong security posture. Staying current with security updates and best practices ensures both protection and operational resilience in today’s threat landscape.

loading..   03-Jul-2025
loading..   4 min read
loading..

Vulnerability

Cisco fixes a severe Unified CM flaw exposing systems to root access. Learn abou...

Cisco has released a critical security update for its Unified Communications Manager (Unified CM, formerly CallManager), addressing a severe vulnerability that left enterprise telephony systems exposed to remote root access. The flaw, tracked as CVE-2025-20309, was caused by a hardcoded root SSH account present in several recent Engineering Special (ES) releases, allowing unauthenticated attackers to gain full control over affected systems. This vulnerability underscores the ongoing challenge of secure software development and the risks posed by overlooked backdoors in widely deployed enterprise infrastructure. ### What Is the Cisco Unified CM Backdoor Vulnerability? The vulnerability was discovered in Unified CM and Unified CM SME ES releases 15.0.1.13010-1 through 15.0.1.13017-1. Due to a static root credential left over from development and testing, attackers could remotely log in via SSH as root, bypassing all authentication and security controls. Once inside, an attacker could execute arbitrary commands, access sensitive data, disrupt communications, or pivot deeper into enterprise networks. Cisco confirmed that all deployments running the affected ES releases are at risk, regardless of configuration. There are currently no workarounds—patching is mandatory to mitigate exposure. ### Who Is at Risk? Organizations using Cisco Unified CM or Unified CM SME in the specified versions are directly at risk. Unified CM is a core component of enterprise communication, managing VoIP, video, messaging, and conferencing for thousands of organizations worldwide. The presence of a root backdoor in such a critical system elevates the risk profile, as a compromise could lead to widespread operational disruption and data breaches. ### How Was the Issue Discovered and Addressed? Cisco’s internal security team identified the hardcoded account during a routine review. The company responded by releasing a patch in July 2025 (15SU3) and a targeted fix (CSCwp27755) that removes the backdoor account. Cisco has also published indicators of compromise to help administrators detect any unauthorized root access attempts, including guidance to review SSH logs for suspicious activity. No active exploitation or public proof-of-concept code has been reported as of publication, but Cisco’s transparency and rapid response reflect the criticality of the threat. Detection and Remediation Steps Immediate actions for administrators: Patch immediately: Upgrade to Unified CM or Unified CM SME 15SU3 or apply the CSCwp27755 patch. ### Recurring Backdoor Risks This is not the first time Cisco has addressed hardcoded credentials in its products. Similar backdoors have been discovered in IOS XE, WAAS, DNA Center, and other Cisco software over recent years, highlighting a persistent industry challenge: ensuring that development artifacts and test accounts are fully removed before release. The recurrence of such issues emphasizes the need for rigorous code audits, secure development practices, and continuous security testing. ### Best Practices for Enterprise Security - **Apply security patches promptly:** Delays in patching expose organizations to preventable risks. - **Conduct regular audits:** Routinely review systems for unauthorized accounts, unexpected open ports, and suspicious activity. - **Implement least privilege:** Restrict administrative access and monitor privileged account usage. The discovery and swift remediation of the Unified CM backdoor root account serve as a critical reminder of the importance of secure software development and proactive vulnerability management in enterprise environments. Organizations running Cisco Unified CM must act immediately to patch affected systems, audit for compromise, and reinforce security best practices to protect their communications infrastructure from evolving threats.

loading..   02-Jul-2025
loading..   3 min read