Pwn All The Things on Twitter: "Btw, if you want to piggyback onto COSYBEAR, its startup module downloaded w/ fixed AES/IV dl-ed over HTTP (port80) https://t.co/HejStU8MWi"

Country	Code	For customers of
United States	40404	(any)
Canada	21212	(any)
United Kingdom	86444	Vodafone, Orange, 3, O2
Brazil	40404	Nextel, TIM
Haiti	40404	Digicel, Voila
Ireland	51210	Vodafone, O2
India	53000	Bharti Airtel, Videocon, Reliance
Indonesia	89887	AXIS, 3, Telkomsel, Indosat, XL Axiata
Italy	4880804	Wind
3424486444	Vodafone
» See SMS short codes for other countries

Pwn All The Things ‏@pwnallthethings 14 Jun 2016
.@CrowdStrike says the "COSY BEAR" group in #DNCHack is RU for this reason. But tbh, looks more like a piggyback oppic.twitter.com/SVFubyejAF

1 reply 4 retweets 4 likes
Pwn All The Things ‏@pwnallthethings 14 Jun 2016
COSYBEAR is an interesting implant. Python and Powershell; comms via .NET using AES with a fixed sym-key #DncHackpic.twitter.com/CpCXNEQTux

2 replies 16 retweets 12 likes
Pwn All The Things ‏@pwnallthethings 14 Jun 2016
That puts COSYBEAR here on the @daveaitel implant-sophistication scale :) #DncHackpic.twitter.com/DXNIhVplhx

4 replies 11 retweets 8 likes
Pwn All The Things ‏@pwnallthethings 14 Jun 2016
Fixed IV/key in COSYBEAR means can traffic-decrypt from pcap. Clearly not written by folks who know crypto #DNCHackpic.twitter.com/BrPLBNjli9

1 reply 2 retweets 7 likes
Pwn All The Things ‏@pwnallthethings 14 Jun 2016
3... 2... 1... MimiKatz #DncHackpic.twitter.com/9wX5f7ALnZ

1 reply 8 retweets 12 likes
Pwn All The Things ‏@pwnallthethings 14 Jun 2016
lolwtf? COSYBEAR operators apparently are lame script kiddies. Clearing event logs is like the worst opsec #DncHackpic.twitter.com/KW2AA1iW7a

2 replies 3 retweets 6 likes
Pwn All The Things ‏@pwnallthethings 14 Jun 2016
Serious Q: What AV does DNC run? How did it possibly miss an implant clearing win-event logs w/ WMI persistance?pic.twitter.com/bls5QPOn8R

2 replies 6 retweets 7 likes
Pwn All The Things ‏@pwnallthethings 14 Jun 2016
pic.twitter.com/nzpansXaQF

1 reply 2 retweets 6 likes
Pwn All The Things ‏@pwnallthethings 14 Jun 2016
For some reason @CrowdStrike listing IOCs as SHA256, when industry standard is SHA1. Makes it harder to search for.pic.twitter.com/p2BQY92hXz

3 replies 2 retweets 3 likes
Pwn All The Things ‏@pwnallthethings 14 Jun 2016
.@CrowdStrike Also for some reason clearly have, but aren't sharing the binaries. Seems optimized to stop people checking their results.

1 reply 1 retweet 2 likes

Pwn All The Things

@pwnallthethings

Loading seems to be taking a while.

false

Saved searches

Pwn All The Things

@pwnallthethings

Go to a person's profile

Saved searches

Retweet this to your followers?

Saved searches

Are you sure you want to delete this Tweet?

Promote this Tweet

Block

Add a location to your Tweets

Your lists

Create a new list

Copy link to Tweet

Embed this Tweet

Embed this Video

Preview

Log in to Twitter

Sign up for Twitter

Not on Twitter? Sign up, tune into the things you care about, and get updates as they happen.

Two-way (sending and receiving) short codes:

Confirmation

Buy Now

Buy Now

Hmm... Something went wrong. Please try again.

Welcome home!

Tweets not working for you?

Say a lot with a little

Spread the word

Join the conversation

Learn the latest

Get more of what you love

Find what's happening

Never miss a Moment

Loading seems to be taking a while.

Promoted Tweet

false