#Cyberespionnage related investigations and developper of cool applications. Fighting #stalkerware on my spare time. (Prev. @Kaspersky GReAT & @ANSSI_fr)
Jul 18, 2022 • 4 tweets • 1 min read
🛰️ For those (still) interested by the KA-SAT event which occured on the Feb. 27. It seems (*) that the attackers simply launched their payload from the modems' SSH accesses which were open to anyone on the SDWAN. (1/3)
Historically, SSH seems to have played a key role on very old firmware, prior the implementation of TR-069. By diffing a pre and post attack extracted firmware, we can clearly see that one of the changed file was the autorized_keys of the root user. (2/3)
Jan 12, 2022 • 7 tweets • 2 min read
⚠️Following the dnspy[.]net case, here is a list of domains owned by the same threat actor. The campaign spreading backdoored installers is STILL ONGOING, and targeting several open source projects: ↘️ (h/t @sekoia_io) [1/6]
Some of the websites are still not created while other have legit executables. Anyway, blacklist these domains:
streamlabsobs[.]net - OBS Studio
obs-studio[.]net - OBS Studio
dnspy[.]dev - dnSpy
dnspy[.]net - dnSpy
mingw64[.]net - mingw64
dev-c[.]net - Dev-C [2/6]
Jul 22, 2021 • 5 tweets • 2 min read
Regarding the fact that the president #Macron has been targeted by #Pegasus, It is possible that it’s a wrong allegation, no? 🤔 Pegasus has the capability to steal the address books. [1/3]
Once exfiltrated, it is possible that the backend compare the contacts with the already stolen address books during a specific campaign. More a phone number appears, more it is defined by the system itself as a potential next target, to help the Pegasus operator, no? [2/3]
Oct 11, 2019 • 6 tweets • 6 min read
As people are disclosing how to hunt for free C2s, here are our prez with @JusticeRage Justice from #SAS2019 related to from tips and tricks. Note that we follow dozens of implants like that since years. It is just few examples.
Apr 18, 2019 • 5 tweets • 1 min read
My own synthesis of the Mueller Report, thread! ↘️
██████████████████████ ████████████████████ ████████████████████████████████████████████████████████████████████████████████ 🧐█████████