VulnHub

Real-time Cybersecurity News

Junior Hacker Used Tailscale and OpenSSH to Keep Access After His C2 Went Offline

The Hacker News
Actively Exploited

Overview

A French-speaking hacker targeted a small automotive company in France, where he successfully installed a keylogger to steal sensitive banking and email credentials. The attack took an interesting turn when the hacker installed OpenSSH and Tailscale on the compromised machine, creating a backdoor to maintain access even after his primary command-and-control server went offline. This method allowed him to bypass traditional C2 channels, making it harder for defenders to cut off his access. The incident serves as a reminder of the evolving tactics used by cybercriminals and the importance for businesses to secure their networks against such persistent threats. Companies should be vigilant about monitoring for unauthorized software installations and maintaining robust security measures.

Key Takeaways

  • Active Exploitation: This vulnerability is being actively exploited by attackers. Immediate action is recommended.
  • Affected Systems: Automotive business systems, OpenSSH, Tailscale
  • Action Required: Regularly monitor systems for unauthorized software installations and implement network segmentation to restrict access.
  • Timeline: Ongoing since October 2023

Original Article Summary

A French-speaking attacker broke into a small French automotive business, planted a keylogger, and stole banking and email credentials. Ordinary stuff, until one move near the end. Before his command-and-control server went dark, he installed OpenSSH and Tailscale on a victim's machine, building a way back in that did not run through the C2 at all. When the Havoc server went offline the next

Impact

Automotive business systems, OpenSSH, Tailscale

Exploitation Status

This vulnerability is confirmed to be actively exploited by attackers in real-world attacks. Organizations should prioritize patching or implementing workarounds immediately.

Timeline

Ongoing since October 2023

Remediation

Regularly monitor systems for unauthorized software installations and implement network segmentation to restrict access. Utilize endpoint protection solutions to detect and prevent keyloggers and backdoors.

Additional Information

This threat intelligence is aggregated from trusted cybersecurity sources. For the most up-to-date information, technical details, and official vendor guidance, please refer to the original article linked below.

Read Original Article

Related Coverage

North Korean Hiring Fraud Runs on AI and US Laptop Farms

Infosecurity Magazine

Nisos, a cybersecurity firm, has exposed a North Korean fraud operation that employs artificial intelligence for conducting fake job interviews. This operation was found to be using a network of laptops based in the United States to facilitate its activities. The fraud cell aimed to recruit IT workers under false pretenses, potentially to gather sensitive information or fund illicit activities. This situation raises concerns about the growing sophistication of cybercriminals, as they now use advanced technologies like AI to enhance their deception. The infiltration of US-based resources by foreign actors highlights vulnerabilities in cybersecurity defenses and the need for vigilance against such schemes.

Jun 17, 2026

Serverless Phishing Kit on GitHub Targets Mexican Banks

Infosecurity Magazine

A new phishing kit called GitBait has been discovered that specifically targets users of Mexican banks. This kit takes advantage of GitHub Pages and the SheetBest API to create fake login pages designed to capture sensitive banking credentials. Researchers have noted that this attack is particularly concerning because it leverages trusted platforms to appear legitimate, potentially tricking victims into providing their information. Users of Mexican banking services should be especially vigilant and ensure they are accessing official websites before entering any personal details. This incident serves as a reminder of the evolving tactics employed by cybercriminals to exploit unsuspecting individuals.

Jun 17, 2026

India's Telegram ban hit the UAE too. Here's how to get around it

BleepingComputer

India has imposed a ban on the messaging app Telegram until June 22 due to its use in leaking exam papers. This decision has not only affected users in India but also disrupted services in the UAE, where users reported issues connecting to the app. Telegram's CEO, Pavel Durov, claims that the telecom company Reliance engaged in BGP hijacking, which exacerbated the connectivity problems. Users seeking to bypass the ban can utilize MTProto proxies as a workaround. This incident raises concerns about the impact of government restrictions on digital communication and the broader implications for users in regions far removed from the original decision.

Jun 17, 2026

AI Threats and Alert Fatigue Challenge Cybersecurity Teams

Infosecurity Magazine

A recent survey conducted by Filigran at Infosecurity Europe 2026 indicates that AI-driven attacks are now the primary concern for cybersecurity teams. The report highlights that the rise of these sophisticated attacks is compounded by issues like false positives and alert fatigue, which are overwhelming security staff. As a result, many teams find themselves bogged down by manual processes that drain their resources and effectiveness. This situation poses significant risks, as it could lead to slower responses to actual threats, ultimately compromising the security of organizations. With AI technology becoming more accessible, the need for improved detection and response strategies is more urgent than ever to protect against these evolving threats.

Jun 17, 2026

Rockwell Automation Patches Vulnerabilities in ICS Controllers and Software

SecurityWeek

Rockwell Automation has addressed several security vulnerabilities in its products, specifically affecting the Logix, CompactLogix, Flex controllers, RSLinx, and FactoryTalk software. These vulnerabilities could potentially allow unauthorized access or manipulation of industrial control systems, which could have serious implications for manufacturing and automation processes. Users of these products are urged to apply the patches provided by Rockwell to secure their systems. The timely response from Rockwell is crucial in preventing potential exploitation of these weaknesses, especially given the critical role these systems play in various industries. Companies using these affected products should prioritize updating their systems to ensure safety and integrity.

Jun 17, 2026

CISA orders feds to patch max severity Joomla plugin flaw by Friday

BleepingComputer

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has mandated that federal agencies address a serious vulnerability in the Widget Factory Joomla Content Editor (JCE) plugin. This flaw, classified as maximum severity, is currently being exploited by attackers, which raises significant concerns about potential data breaches or unauthorized access. Federal agencies must implement patches by the end of the week to safeguard their systems. This situation underscores the importance of timely updates and vigilance in maintaining cybersecurity, especially for widely used plugins like JCE. Agencies that fail to patch this vulnerability could face serious repercussions, including compromised data integrity and system security.

Jun 17, 2026