NATS as C2

NATS as C2 https://www.sysdig.com/blog/nats-as-c2-inside-a-new-technique-attackers-are-using-to-harvest-cloud-credentials-and-ai-api-keys I’m using NATS as an outbound connector/transport between my control server and pfSense firewalls - looks like they’re also leveraging this same technique. In my usecase its flawless! I’ve been telling security friends that they are sleeping on NATS. Maybe after reading this they’ll actually read up on it instead of default to what they know; rabbit and kafka. “Tasks are queued centrally, workers pull and explicitly ack, and a dropped worker returns its in-flight tasks to the queue for redelivery. This matches the architectural argument earlier in this writeup: NATS-as-C2 gives operators durability and at-least-once delivery without bespoke client code.” NATS servers provide three properties that scanner-pool operators historically had to engineer themselves: Wire-level authorization: Per-subject ACLs are enforced by the broker, not by client-side…