🛰️ For those (still) interested by the KA-SAT event which occured on the Feb. 27. It seems (*) that the attackers simply launched their payload from the modems' SSH accesses which were open to anyone on the SDWAN. (1/3) Historically, SSH seems to have played a key role on very old firmware, prior the implementation of TR-069. By diffing a pre and post attack extracted firmware, we can clearly see that one of the changed file was the autorized_keys of the root user. (2/3)

⚠️Following the dnspy[.]net case, here is a list of domains owned by the same threat actor. The campaign spreading backdoored installers is STILL ONGOING, and targeting several open source projects: ↘️ (h/t @sekoia_io) [1/6] Some of the websites are still not created while other have legit executables. Anyway, blacklist these domains:
streamlabsobs[.]net - OBS Studio
obs-studio[.]net - OBS Studio
dnspy[.]dev - dnSpy
dnspy[.]net - dnSpy
mingw64[.]net - mingw64
dev-c[.]net - Dev-C [2/6]

Regarding the fact that the president #Macron has been targeted by #Pegasus, It is possible that it’s a wrong allegation, no? 🤔 Pegasus has the capability to steal the address books. [1/3] Once exfiltrated, it is possible that the backend compare the contacts with the already stolen address books during a specific campaign. More a phone number appears, more it is defined by the system itself as a potential next target, to help the Pegasus operator, no? [2/3]

As people are disclosing how to hunt for free C2s, here are our prez with @JusticeRage Justice from #SAS2019 related to from tips and tricks. Note that we follow dozens of implants like that since years. It is just few examples.

My own synthesis of the Mueller Report, thread! ↘️ ██████████████████████ ████████████████████ ████████████████████████████████████████████████████████████████████████████████ 🧐█████████