NATS as C2
NATS as C2
I’m using NATS as an outbound connector/transport between my control server and pfSense firewalls - looks like they’re also leveraging this same technique. In my usecase its flawless!
I’ve been telling security friends that they are sleeping on NATS. Maybe after reading this they’ll actually read up on it instead of default to what they know; rabbit and kafka.
“Tasks are queued centrally, workers pull and explicitly ack, and a dropped worker returns its in-flight tasks to the queue for redelivery. This matches the architectural argument earlier in this writeup: NATS-as-C2 gives operators durability and at-least-once delivery without bespoke client code.”
NATS servers provide three properties that scanner-pool operators historically had to engineer themselves:
- Wire-level authorization: Per-subject ACLs are enforced by the broker, not by client-side checks that a captured node can disable.
- One-to-many fan-out: A single publish to result.scan reaches every aggregator without the worker enumerating peers, which improves OPSEC and simplifies horizontal scaling.
- First-class auth and durability: Username/password, TLS, and nkey auth are native, and JetStream provides durable queues so a worker can drop offline without losing its work.
“The KeyHunter operator that the Sysdig TRT discovered is using NATS for the same reasons engineering teams adopt it: subject-scoped authorization, native fan-out, and durable queues. None of those properties alone are unique to legitimate workloads, and applying them to a credential-hunting worker pool produces a botnet that is more liable and scalable than the typical HTTP-panel architecture”
Take away the C2 nerfarious nature of this application and you’re left with a legitimate tool that is incredibly powerful and sadly overlooked by many.
I implore people to give NATS a try.
Tags:
#nats #c2