Good Morning Security Gang!
Happy Monday, and I hope everyone had an amazing Fourth of July holiday! If you're still on holiday today, you've bridged the Friday into the Monday - I applaud you and thank you so much for doing that because we all need a little bit more time away.
Today I'm covering a major ransomware hit on IT giant Ingram Micro that destroyed their Fourth of July weekend, new pro-Russian hacktivist groups targeting Ukraine through insider recruitment, and Brazilian authorities arresting a suspect in a $100 million banking system hack. From Virginia county employee data breaches to mysterious threat actors targeting China, I'm delivering the essential cybersecurity intelligence you need to start this post-holiday week.
Ingram Micro Suffers Ransomware Attack During Holiday Weekend
Ingram Micro confirmed a ransomware attack by the SafePay group that shut down internal systems since Thursday before July 4th. The world's largest B-to-B technology distributor had their website and ordering systems offline, impacting resellers and MSPs worldwide.
"My heart, my prayers, my thoughts are with the team over at Ingram Micro because it happened on the holiday weekend... Right before every major holiday, threat actors typically deploy because they're catching people on the way out - you've got people on vacation, people logging off." - James Azar On the Ingram Micro ransomware attack timing
Threat actors deliberately target holiday weekends because people are on vacation, security teams are understaffed, and organizations are more likely to pay ransoms to resolve incidents quickly without disrupting business operations.
Two New Pro-Russian Hacktivist Groups Target Ukraine
Intel471 identified two new pro-Russian groups - IT Army of Russia and TUNED - using Telegram to coordinate attacks and recruit Ukrainian insiders. The IT Army of Russia has over 800 subscribers and targets Ukrainian critical infrastructure and small businesses to pressure the government. These decentralized groups likely rebrand frequently, with members joining and leaving different operations under new names to avoid detection and attribution.
Virginia County Employees Hit by Black Suit Ransomware
Gloucester County, Virginia notified 3,527 current and former employees that their personal information was stolen in an April 22nd breach by Black Suit ransomware. The stolen data included social security numbers, names, driver's license numbers, health insurance numbers, and medical information. Black Suit has a history of targeting municipalities, and we covered this incident briefly when it first occurred.
Brazil Arrests Suspect in $100M Banking System Hack
Brazilian police arrested Yao Roke, a CNM Software employee, for helping steal over $100 million from the PIX payment system used by 76% of Brazil's population. The insider threat targeted CNM, which connects financial institutions to Brazil's central bank for PIX transactions. This shows how vulnerable third-party payment platforms like Zelle, Venmo, and Cash App can be to insider attacks, especially when employees have access to critical financial infrastructure.
Mysterious "Night Eagle" Threat Actor Targets China
Researchers identified a previously unknown threat actor called "Night Eagle" targeting China's high-tech sectors including semiconductors, quantum technology, AI, and military organizations.
"We often talk about China being the predator in the cyber world - well this specific attack seems to be taking advantage of China... So China is also getting taken a little bit - gives a little bit of confidence, doesn't it?" - James Azar On the Night Eagle threat actor targeting China
The North American-based group operates during Beijing overnight hours (9 PM-6 AM) and uses zero-day exploits to compromise Exchange servers. For once, China is getting a taste of their own medicine - gives a little bit of confidence, doesn't it?
Pakistani Group Targets Indian Government with Modified D-RAT
The Pakistani-linked Insecant group targeted Indian government organizations with a modified D-RAT (Remote Access Trojan), spoofing the Indian Ministry of Defense through cloned press releases. The evolving malware architecture demonstrates how threat actors refine their tools to evade detection and maintain persistence. The naming conventions are getting complicated - everyone gives threats different names with no unified system.
Grafana Addresses Critical Chromium Vulnerabilities
Grafana released critical security updates for four Chromium vulnerabilities (CVEs 2025-59596, 65461, 91619, 91612) affecting the V8 JavaScript and WebAssembly engines. Organizations must immediately update Grafana Image Renderer versions prior to 3.12.9 and Synthetic Monitoring Agent versions prior to 0.38.3 to address these critical flaws.
Interpol Reports Cybercrime Compounds Moving to West Africa
Interpol reports cybercrime compounds are expanding from Southeast Asia to West Africa, with victims from 60+ countries being trafficked to online scam centers. While three-quarters still end up in Cambodia, Laos, and Myanmar, the geographic expansion to Nigeria and West Africa makes this criminal infrastructure more resilient and harder for law enforcement to combat.
James Azar's CISO Take
My analysis today focuses heavily on the deliberate timing of cyber attacks and how threat actors exploit human psychology and organizational vulnerabilities during holidays and transitions. The Ingram Micro ransomware attack perfectly illustrates what I've been warning about for years - threat actors specifically target holiday weekends because they know security teams are understaffed, executives are offline, and the pressure to pay ransoms is significantly higher when everyone just wants to get back to their vacation.
I spoke to a threat actor some time ago who confirmed this strategy, and it's mathematically sound from their perspective. What breaks my heart is thinking about the Ingram Micro security team, IT infrastructure team, executive team, and communications team who had their Fourth of July weekend absolutely destroyed by this event. They're victims of a crime, and we need to remember that while it's easy to judge these situations, in cybersecurity they only have to be right once while we have to be right 100% of the time - which is mathematically impossible.
What gives me some satisfaction today is seeing that China is finally getting a taste of their own medicine with the Night Eagle threat actor targeting their high-tech sectors during Beijing overnight hours. For years we've watched China systematically steal intellectual property and conduct espionage against Western nations, so seeing them on the receiving end of sophisticated attacks gives me a little bit of confidence.
The Brazil PIX system attack demonstrates once again how insider threats remain one of our greatest vulnerabilities, especially as financial systems become increasingly interconnected through third-party payment platforms. The proliferation of pro-Russian hacktivist groups targeting Ukraine shows how cyber warfare continues to evolve with decentralized threat actors that can quickly rebrand and adapt their operations.
The movement of cybercrime compounds from Asia to West Africa according to Interpol indicates that this global criminal infrastructure is becoming more resilient and geographically distributed, making it even harder for law enforcement to combat effectively.
Action Items for Security Teams
Holiday security protocols: Implement enhanced monitoring and incident response procedures before all major holidays
Ingram Micro dependency review: Assess organizational dependencies on Ingram Micro services and implement contingency plans
Insider threat monitoring: Enhance monitoring for employees with access to financial systems and payment platforms
Grafana critical updates: Immediately update all Grafana Image Renderer and Synthetic Monitoring Agent installations
Network microsegmentation: Review and strengthen network segmentation to limit ransomware lateral movement
Exchange server hardening: Audit Microsoft Exchange servers for potential zero-day vulnerabilities and unauthorized access
Third-party payment system security: Evaluate security controls for all third-party payment processing platforms
Municipal security assessment: For government organizations, review Black Suit ransomware TTPs and implement appropriate defenses
Ukraine-related organization monitoring: Implement enhanced security for any organizations with Ukraine connections or operations
Zero trust insider controls: Strengthen zero trust principles specifically focused on insider threat detection
Incident response staffing: Ensure adequate incident response coverage during holiday periods and staff transitions
Threat intelligence integration: Monitor for SafePay ransomware group indicators and TTPs
Financial system resilience: Test backup and recovery procedures for critical payment and financial systems
West Africa cybercrime awareness: Brief security teams on emerging cybercrime compound operations in West Africa
✅ Story Links:
https://therecord.media/twonet-it-army-of-russia-new-hacktivist-groups-target-ukraine
https://therecord.media/virginia-county-says-ransomware-attack-exposed-ssns
https://thehackernews.com/2025/07/nighteagle-apt-exploits-microsoft.html
https://thehackernews.com/2025/07/tag-140-deploys-drat-v2-rat-targeting.html
https://therecord.media/interpol-west-africa-cybercrime-compounds
https://www.securityweek.com/police-in-brazil-arrest-a-suspect-over-100m-banking-hack/
🔔 Subscribe now for the latest insights from industry leaders, in-depth analyses, and real-world strategies to secure your digital world. https://www.youtube.com/@TheCyberHubPodcast/?sub_confirmation=1
🚨 Important Links to Follow:
👉Website:
👉Listen here: https://linktr.ee/cyberhubpodcast
✅ Stay Connected With Us.
👉Facebook: https://www.facebook.com/CyberHubpodcast/
👉LinkedIn: https://www.linkedin.com/company/cyberhubpodcast/
👉Twitter (X): https://twitter.com/cyberhubpodcast
👉Instagram: https://www.instagram.com/cyberhubpodcast
🤝 For Business Inquiries: info@cyberhubpodcast.com
=============================
🚀 About The CyberHub Podcast.
The Hub of the Infosec Community.
Our mission is to provide substantive and quality content that’s more than headlines or sales pitches. We want to be a valuable source to assist those cybersecurity practitioners in their mission to keep their organizations secure.
Tune in to our podcast Monday through Thursday at 9AM EST for the latest news.
Share this post