Quotidien Shaarli

Executive Summary:

• A new, stealthy ASUS router botnet, dubbed AyySSHush, abuses trusted firmware features through a multi-stage attack sequence to backdoor routers and persist across firmware updates, evading traditional detection methods.
• GreyNoise observed the campaign in March 2025; Censys scan data reveals its global footprint and how it's evolved over the past five months
  4,504 ASUS devices show indicators of compromise as of May 28, 2025, identified by having SSH running on port TCP/53282 — a relatively strong indicator of AyySSHush compromise since this high, nonstandard port is specifically used by the botnet
• The compromises are globally spread with an APAC concentration: the top affected countries include the U.S., Sweden, Taiwan, Singapore, and Hong Kong.
• Residential ISPs across Asia, Europe, and the U.S. appear to be the main targeted networks, aligning with the typically observed residential proxy botnet strategy that mimics legitimate users to evade detection.
  Historical trends in compromises observed online reveal a highly dynamic scale of botnet operations that rapidly scaled up and down by 50% in a matter of weeks
• Attackers leverage ASUS's own built-in configuration tools to inject SSH keys that survive firmware resets -- patching alone isn't enough.
• Check out our live dashboard tracking exposed ASUS devices with indicators of compromise
  Introduction
  On March 18 2025, researchers at GreyNoise uncovered a sophisticated botnet campaign targeting ASUS routers. Dubbed AyySSHush, the operation exploits legitimate features of ASUS’s AiProtection system to implant persistent SSH backdoors that survive firmware resets. This is an alarming example of threat actors exploiting vendor-sanctioned capabilities to establish a persistent, hard-to-detect presence in consumer-grade hardware.

Censys has been tracking this botnet’s global footprint in partnership with findings from both GreyNoise and Sekoia researchers.

To aid in ongoing tracking and research, we’ve launched a live dashboard that tracks exposed ASUS routers showing indicators of AyySSHush compromise. The data updates daily and provides real-time insight into global trends.

CYFIRMA’s research team discovered Lyrix Ransomware while monitoring underground forums as part of our Threat Discovery Process. Developed in Python and compiled with PyInstaller — allowing it to run as a standalone executable with all dependencies—Lyrix targets Windows systems using strong encryption and appends a unique file extension to encrypted files. Its advanced evasion techniques and persistence mechanisms make it challenging to detect and remove. This discovery underscores the need for proactive cybersecurity measures and a robust incident response strategy to safeguard data and reduce the risk of breaches.

Target Technologies Windows Operating System
Written In Python
Encrypted file extension Original file names appended with ‘.02dq34jROu’ extension
Observed First 2025-04-20
Problem Statement
Lyrix Ransomware targets Windows operating systems using advanced evasion and anti-analysis techniques to reduce the likelihood of detection. Its tactics include obfuscating malicious behavior, bypassing rule-based detection systems, employing strong encryption, issuing ransom demands, and threatening to leak stolen data on underground forums.

Lyrix Ransomware
Basic Details
Filename Encryptor.exe
Size 20.43 MB
Signed Not signed
File Type Win32 EXE
Timestamp Sun Apr 20 09:04:34 2025 (UTC)
SHA 256 Hash fcfa43ecb55ba6a46d8351257a491025022f85e9ae9d5e93d945073f612c877b

Checkmarx Zero researcher Ariel Harush has discovered evidence of a malicious package campaign that is consistent with live adversarial activity and adversarial research and testing. This campaign targets Python and NPM users on Windows and Linux via typo-squatting and name-confusion attacks against colorama (a widely-used Python package for colorizing terminal output) on PyPI and the similar colorizr JavaScript package on NPM. These malicious packages were uploaded to PyPI.

• Multiple packages uploaded to PyPI with significantly risky payloads were uploaded with names similar to legitimate packages in both PyPI and NPM.
• The tactic of using the name from one ecosystem (NPM) to attack users of a different ecosystem (PyPI) is unusual.
• Payloads allow persistent remote access to and remote control of desktops and servers, as well as harvesting and exfiltrating sensitive data.
• Windows payloads attempt to bypass antivirus/endpoint protection controls to avoid detection.
• Packages have been removed from public repositories, limiting immediate potential for damage.
  These behaviors are consistent with targeted adversarial activity and coordinated campaigns. It is likely, based on this pattern, that these were created either to attack a particular target or set of targets. No clear attribution data is currently available, so we do not know whether this campaign is connected to a well-known adversary.

Cross-Platform Supply Chain Attacks Targeting Users of

Defence Secretary announces new Cyber and Eletromagnetic Command and £1 billion investment in pioneering battlefield system.

Defence Secretary John Healey personnel at MoD Corsham. MoD Crown Copyright.

More than £1 billion to be invested in pioneering ‘Digital Targeting Web’ to spearhead battlefield engagements, applying lessons learnt from Ukraine to the UK Armed Forces.
New Cyber and Electromagnetic Command will oversee cyber operations for Defence as careers pathway accelerated.
Innovation delivers on the Government’s Plan for Change by bolstering national security and creating skilled jobs.
Pinpointing and eliminating enemy targets will take place faster than ever before, as the Government invests more than £1 billion to equip the UK Armed Forces with a pioneering battlefield system.

A new Cyber and Electromagnetic Command will also be established to put the UK at the forefront of cyber operations as part of the Strategic Defence Review (SDR). The announcements were made by Defence Secretary, John Healey MP on a visit to MOD Corsham, the UK military’s cyber HQ.

The Ministry of Defence will develop a new Digital Targeting Web to better connect Armed Forces weapons systems and allow battlefield decisions for targeting enemy threats to be made and executed faster.

This pioneering digital capability will give the UK a decisive advantage through greater integration across domains, new AI and software, and better communication between our Armed Forces. As an example, a threat could be identified by a sensor on a ship or in space before being disabled by an F-35 aircraft, drone, or offensive cyber operation.

This follows the Prime Minister’s historic commitment to increase defence spending to 2.5% of GDP, recognising the critical importance of military readiness in an era of heightened global uncertainty.

Delivering this new Digital Targeting Web is central to UK efforts to learn lessons directly from the front line in Ukraine. When the Ukrainians achieved a step-change in lethality early in the war – by being able to find the enemy, target them and attack quickly and at scale - it allowed them to stop the encircling Russian advance.

The Ministry of Defence will establish a Cyber and Electromagnetic Command. It will sit under General Sir James Hockenhull’s Command and follows the MOD having to protect UK military networks against more than 90,000 ‘sub-threshold’ attacks in the last two years. The Command will lead defensive cyber operations and coordinate offensive cyber capabilities with the National Cyber Force.

The new Command will also harness all the Armed Forces’ expertise in electromagnetic warfare, helping them to seize and hold the initiative in a high-tempo race for military advantage - for example, through degrading command and control, jamming signals to drones or missiles and intercepting an adversary’s communications.

UPDATE 2 (7:41 PM UTC): Access to consoles has been restored for all customers following today’s platform outage and service interruption. We continue to validate that all services are fully operational.

UPDATE 1 (6:10 PM UTC): Services are actively being restored and consoles are coming online.

On May 29, 2025, SentinelOne experienced an outage that is impacting commercial customer consoles. The following message has been sent to all customers and partners. Communications are being updated real-time in our support portal and will be updated here as necessary.

We are aware of ongoing console outages affecting commercial customers globally and are currently restoring services. Customer endpoints are still protected at this time, but managed response services will not have visibility. Threat data reporting is delayed, not lost. Our initial RCA suggests this is not a security incident. We apologize for the inconvenience and appreciate your patience as we work to resolve the issue.

ConnectWise did not disclose information about when the data breach occurred, as well as the number of MSPs or end users impacted by the breach.

‘ConnectWise recently learned of suspicious activity within our environment that we believe was tied to a sophisticated nation state actor, which affected a very small number of ScreenConnect customers,’ ConnectWise said in a statement.

ConnectWise has confirmed it suffered a recent cyberattack that led to unauthorized access of its ScreenConnect cloud infrastructure.

“ConnectWise recently learned of suspicious activity within our environment that we believe was tied to a sophisticated nation state actor, which affected a very small number of ScreenConnect customers,” the Tampa, Fla.-based vendor said in a statement. “We have launched an investigation with one of the leading forensic experts, Mandiant. We have communicated with all affected customers and are coordinating with law enforcement. As part of our work with Mandiant, we patched ScreenConnect and implemented enhanced monitoring and hardening measures across our environment. We have not observed any further suspicious activity in any customer instances. The security of our services is paramount to us, and we are closely monitoring the situation and will share additional information as we are able.”

No further signs of malicious activity have been detected since the update was applied, a source familiar with the situation, who asked for anonymity, told CRN.