What We Know
On Wednesday, Brazil’s central bank reported a cyberattack against a company called C&M Software. C&M Software connects financial institutions to Brazil’s core payment systems.
C&M Software (C&M) commercial director Kamal Zogheib said the company was a direct victim of the cyberattack. The attack used client credentials to access its systems and services.
Zogheib said critical systems remain intact and operational, adding that all security protocol measures had been implemented. The company is cooperating with the central bank and the Sao Paulo state police in the ongoing investigation.
C&M is a third-party provider within Brazil’s financial infrastructure. It is a technology services provider responsible for connecting banks to Pix and Brazilian Payments System (SPB). Crucially, C&M caters to financial institutions lacking connectivity infrastructure. This makes C&M vital for smaller financial entities to access the core national payment systems. This strategic role made C&M a gateway for the attackers to impact multiple financial institutions.
This incident illustrates how compromising a third-party provider can affect numerous financial institutions. This changes a third-party vulnerability into a broader financial risk.
On Friday, July 4th, police arrested a C&M employee who confessed to being recruited to provide the credentials necessary for the attack. This confirms the incident was a targeted insider-assisted heist, driven by social engineering.
While this high-profile attack involved an employee who was paid for access, it powerfully illustrates a universal risk: valuable credentials are the ultimate prize. Attackers don’t always need to find a willing conspirator. Infostealer malware, like the Lumma and Redline variants detailed in this advisory, automates this exact process at a massive scale.
Instead of paying one person, they deploy malware that steals the same login data from thousands of employees for free. The end result is the same: criminals gain unauthorized access to critical systems. The C&M breach is a stark reminder that whether credentials are sold by an insider or stolen by malware, they remain the weakest point in an organization’s defense.
Key Observations
- Illegal credential access is rapidly becoming a threat.
- Lumu highlighted in our 2025 Predictions that:
- Lumu’s latest Compromise Report reveals a persistent wave of infostealer-driven compromises targeting employees and users in Brazil throughout 2025.
The most common infostealer variants continue to be Redline and Lumma, despite efforts by Microsoft and Europol to dismantle their operations.
Threat Intelligence data from Maltiverse by Lumu shows active IoCs for both families with growth activity recently. We can see this trend in the following graph:
You can stay up to date with the latest IoCs on Maltiverse by Lumu. Use the following query: Redline and Lumma
Brazilian Infostealer Statistics
Infostealer Groups in Brazil
Infostealers by Industry in Brazil
Software Supply Chain Attacks: Third-Party Risk
The C&M Software incident is a classic software supply chain attack. Attackers infiltrate a software vendor’s network and compromise software. This software is shipped to its customers. The attackers exploit the least secure part of the supply chain.
Several past incidents show this danger:
- SolarWinds (2020)
Hackers placed a backdoor, given the name SUNBURST, into the Orion software platform through routine updates. This compromised software spread to thousands of customers, including government agencies and Fortune 500 companies. This gave the attackers enabling remote access so they could steal data. This highlights the crucial need for continuous monitoring, even of approved software. - Kaseya (2021)
The REvil ransomware group exploited vulnerabilities in a remote administration tool by a company called Kasaeya. This allowed the attackers to deploy ransomware to thousands of businesses served by Managed Service Providers (MSPs) who used Kaseya for their daily work. - Target (2013)
An older but pivotal example was when hackers gained access to Target’s network through a third-party Air Conditioning provider. This led to the theft of the payment information of millions of customers.
What You Should Do Now
This isn’t just about C&M and insider threats. It’s about your entire trust surface. It is essential to review who you trust to access your critical systems, and how you validate that trust.
If you are a Lumu customer, you have access to assistance. Go to Lumu Global MITRE ATT&CK in the customer portal. Here you can identify any deviation from your threat landscape and compare with the MITRE ATT&CK Matrix. This helps to identify your own risk to this threat and prioritize defense actions. For more details on the Global Mitre ATT&CK Matrix, visit this article.
Here are some strategic recommendations:
- Review Third‑Party Connectivity
Maintain an up‑to‑date list of outside providers with access to critical infrastructure. Grant only the privileges that providers need. Limit access to pre‑approved IP ranges. - Rotate and Monitor Credentials
Implement short‑lived API tokens and mandatory key rotation policies. Continuously monitor for anomalous API calls from unusual locations or autonomous system numbers. - Implement Multi Factor Authentication (MFA)
Use MFA to validate authorization flows across internal systems, APIs, and connections with your network. - Adopt Continuous Compromise Assessment
Don’t just rely on perimeter defenses. Use network‑based detection to find misuse of credentials or unexpected data flows. - Segment Reserve and Settlement Account
Where possible, use temporary reserve accounts for approval workflows. Use just‑in‑time access controls to isolate fraudulent instructions.
How Lumu Helps
Lumu enables organisations to operate cybersecurity with full visibility of confirmed compromise. By continuously measuring compromise, Lumu helps security teams prioritize response and confirm the effectiveness of their controls.
To further enhance your defenses, Lumu offers:
- Maltiverse: Get curated threat intelligence to stay ahead of emerging threats like infostealers and other advanced malware.
- Lumu Discover: Gain continuous visibility into your external attack surface. This includes the ability to monitor for exposed credentials within your third-party vendor ecosystem.
Together, these capabilities provide a multi-layered view of both internal and external threats, helping you neutralize them before they grow.