InfoSec Briefing - June 14, 2026

🎧 Audio Briefing

Playback Speed:

Cyber security developments for Sunday the 14th of June 2026 covering articles added to the BlueTeamSec community on infosec.pub. Today we have 3 articles to cover. All attribution is by the article authors. All article analysis is automated.

IBM X-Force has published research on Interlock and Rhysida, two ransomware groups that appear to share tooling—specifically a backdoor called Supper—whilst maintaining separate infrastructure and targeting strategies. The analysis notes that falling development costs, partly driven by AI, are enabling less sophisticated actors to run high-impact ransomware operations, which is a slightly concerning trend.

Researchers have built a detection pipeline using Anthropic's Claude Compliance API to spot misuse in large language model chat sessions—things like jailbreak attempts or sensitive data leaking out through the conversation itself. It's a three-stage setup feeding into a SIEM, and worth a look if you're running Claude Enterprise and trying to work out what monitoring actually looks like when the content is the attack surface.

Trail of Bits uncovered a category of weak cryptographic keys they're calling short-sleeve keys, traced back to a type mismatch bug in CompleteFTP software that ran from 2016 through to 2023. The vulnerability let them factor over 600 RSA and 74 DSA private keys from internet scans, with similar patterns turning up in keys from Yahoo, Verizon, and NetApp kit. The bug created predictable zero-bit patterns in the random number generator output, making factorisation rather quicker than intended.

That concludes today's briefing.

📰 Articles Covered

Interlock and Rhysida within the Ransomware Ecosystem | IBM - IBM

This precis details the analysis provided by IBM X-Force regarding the relationship and operational tactics of the Interlock and Rhysida ransomware groups.

### What Happened
Research indicates a probable lineage or relationship between the Interlock (Hive0163) and Rhysida ransomware groups, though the precise nature of this connection remains unknown. While they utilize similar toolsets—notably the "Supper" backdoor—they maintain distinct initial-access campaigns and malware infrastructures. The landscape is further complicated by the decreasing cost of malware development due to AI, which allows for more versatile and less specialized threat actors to execute high-impact operations.

### Who Is Affected
Both groups target organizations globally, with a significant concentration of victims located in the United States. In 2025 alone, each group claimed approximately 80 victims on their respective data leak sites.

### Security Implications
The evolution of these groups reflects a shifting threat landscape where:
* **Blurred Roles:** Lower development costs are enabling facilitators (e.g., initial-access brokers) to transition into full-scale ransomware operators.
* **Increased Sophistication:** The use of advanced crypters and custom backdoors allows these groups to evade traditional detection methods.
* **Operational Resilience:** The use of specialized infrastructure, such as Traffic Distribution Systems (TDS), suggests a high level of operational maturity designed to sustain long-term campaigns.

### Technical Details
| Feature | Interlock (Hive0163) | Rhysida |
| :--- | :--- | :--- |
| **Model** | Appears non-RaaS | Operates as RaaS (since May 2023) |
| **Backdoors** | Supper, InterlockRAT, NodeSnake | Supper |
| **Downloaders/Crypters** | JunkFiction | Endico, Broomstick, Tomb |
| **Tactics** | Exploits network edge devices (e.g., CVE-2026-20131), utilizes TDS (TAG-124) | Associated with actors like Vanilla Tempest |

### What Defenders Should Know
* **Monitor Infrastructure:** Defenders should actively hunt for the specific malware families, backdoors (especially the shared Supper backdoor), and crypters mentioned above.
* **Disrupt Code-Signing:** Since these actors rely on fraudulent code-signing certificates to maintain legitimacy, security teams should track and report these malicious certificates to platforms such as [The Cert Graveyard](https://certgraveyard.org/) to hinder the adversaries' ability to execute payloads.
* **Leverage Intelligence:** Security teams are encouraged to consult the full list of Indicators of Compromise (IOCs) maintained by X-Force in their [GitHub repository](https://github.com/XFTI-MalwareThreatResearch/threat-research-blogs/blob/main/interlock-rhysida/IOCs.txt) to harden their defenses against these specific threat actors.
Detecting Misuse with the Claude Compliance API: The Threat Is in the Content - PaperMtn

Thank you for providing that summary. Since you have already extracted the core information from the article, I have reviewed your precis against the requested points. It covers all the required areas comprehensively:

* **What happened:** Development of a security detection pipeline using the Anthropic Compliance API to analyze chat content.
* **Who is affected:** Organizations using Claude Enterprise, with a focus on risks posed by sanctioned users.
* **Security implications:** The inversion of traditional security models where content is the attack surface, along with specific LLM-based threats like jailbreaks and sensitive data exposure.
* **Technical details:** The three-stage pipeline architecture (Collection/Prefilter, LLM Judge, SIEM Event) and the limitation regarding visibility into agentic actions.
* **What defenders should know:** The necessity of semantic detection, the importance of cost-effective filtering, and the need to supplement this method with further telemetry.

Your summary is accurate and well-structured based on the content provided.
Factoring "short-sleeve" RSA keys with polynomials - Trail of Bits

The information you provided offers a comprehensive summary of the "short-sleeve" RSA and DSA key vulnerability. Based on the article from Trail of Bits, here is the structured precis you requested:

### **Factoring "Short-Sleeve" RSA and DSA Keys**

#### **What Happened**
Researchers discovered a class of weak cryptographic keys, dubbed "short-sleeve" keys, which exhibit highly non-random, sparse bit patterns. These keys were primarily traced back to a specific type-mismatch bug in the big-integer arithmetic code found in older versions of the CompleteFTP software. The bug caused the key generation process to produce predictable, repeating patterns of zero bits, significantly reducing the entropy of the resulting keys.

#### **Who Is Affected**
* **CompleteFTP Users:** RSA keys generated via versions 10.0.0 through 12.0.0 (Dec 2016 – Mar 2019) and DSA keys generated via versions 10.0.0 through 23.0.4 (Dec 2016 – Dec 2023) are confirmed to be vulnerable.
* **Other Entities:** Similar patterns ("Pattern 1") were identified in the wild, appearing in keys associated with large organizations (such as Yahoo and Verizon) and certain NetApp devices, though the specific root cause for these instances remains unknown.

#### **Security Implications**
The non-random structure of these keys allows for rapid factorization, rendering them insecure. Because the keys are not truly random, an attacker can bypass the computational hardness typically associated with RSA/DSA. Researchers were able to use this weakness to recover 603 unique RSA private keys and 74 DSA keys from active internet scans, demonstrating that these keys can be compromised by anyone aware of the technique.

#### **Technical Details**
* **The Bug:** The vulnerability originated in the `genRandomBits` function within the affected software. A type-mismatch error caused 8-bit random number generator (RNG) output to be incorrectly cast into 32-bit big-integer limbs. This forced a significant portion of the integer bits to be zero, creating a sparse, repeating structure.
* **The Attack:** RSA moduli are typically treated as large integers, but they can also be represented as polynomials by viewing their base-$B$ limbs as coefficients. Because "short-sleeve" keys have an abundance of zeros, their corresponding polynomial $f_n(x)$ possesses very small coefficients. This specific structure makes the polynomial highly susceptible to efficient factorization using standard algorithms, which then allows for the easy extraction of the prime factors $p$ and $q$.

#### **What Defenders Should Know**
* **Audit Your Environment:** Organizations using the affected software should immediately verify their key infrastructure. EnterpriseDT has provided a [standalone tool](https://enterprisedt.com/downloads/KeyChecker.zip) specifically for CompleteFTP users to check for vulnerable keys.
* **Use Standard Detection Tools:** The [badkeys project](https://badkeys.info/) has updated its tools to include detection for these specific "short-sleeve" patterns. Security teams should scan their public-facing keys using the [badkeys GitHub utility](https://github.com/badkeys/badkeys).
* **Remediation:** Any key identified as "short-sleeve" must be treated as compromised. Defenders should generate new, secure keys using updated software or well-vetted, standard cryptographic libraries.
* **Best Practices:** This incident underscores the extreme risk of implementing custom cryptographic routines. Developers should always rely on widely audited, standard cryptographic libraries for key generation to ensure sufficient entropy and randomness.