Andrew Brandt
π€ SpeakerAppearances Over Time
Podcast Appearances
So I get called in and have to, you know, decode how the whole attack works and do another flowchart similar to what we did with Asnarok to do the Baja attack.
Well, you know, one of the things that we can do, so you've got this telemetry tool that you can do basically wide-scale threat hunting within the firewalls themselves.
And so you can do things like, okay, well, we recovered a piece of malware off of the very first machine that belonged to a customer,
let's see where else this malware exists on the universe of firewalls that are out there.
And that was how they found T-Stark.
So T-Stark's firewall was the first one where they
they found a copy of not just the same malware, but like the binary identical, like the actual same file on this guy's firewall.
And he had been there for two months.
So he'd been experimenting with this piece of malware.
While the Azeroth attack was happening, he was basically planning the next one.
Like in the middle of us dealing with the aftermath, they were already developing the exploit and building out the payload for that attack.
And then the other thing that was really interesting was that we found a bunch of other stuff on this T-Star guy's firewall.
His firewall had a bunch of malware on it that was designed to run on the Mac and on iOS, on iPads and iPhones.
And there is no conceivable reason why there would be like a Mac executable on a inside of a Sophos firewall.
And we didn't really understand what that was being used for, why that was there, until much later.
Starting around August, September, Sophos had started to communicate with other companies in the field, some of whom did...