Most active commenters
  • viccis(3)
  • fckgw(3)
  • cybergreg(3)

←back to thread

An attacker’s blunder gave us a look into their operations

(www.huntress.com)
154 points mellosouls | 26 comments | 09 Sep 25 15:42 UTC | HN request time: 0.001s | source | bottom
Show context
isatsam ◴[09 Sep 25 16:17 UTC] No.45184197[source]
I don't work in cybersecurity and, after looking at the site's homepage, couldn't exactly figure out from all the buzzwords what exactly is this product. The most concerning takeaway from this article for me is that the maintainers of Huntress (whatever it is) can keep a log of, as well as personally access, the users' browser history, history of launched executables, device's hostname, and presumably a lot of other information. How is this product not a total security nightmare?
replies(12): >>45184282 #>>45184376 #>>45184533 #>>45184902 #>>45185067 #>>45185111 #>>45185367 #>>45185677 #>>45185868 #>>45185950 #>>45186020 #>>45190165 #
1. skulk ◴[09 Sep 25 16:22 UTC] No.45184282[source]
It looks like Huntress is a "install this on your computer and we'll watch over your systems and keep you safe, for sure."

I also find it kind of funny that the "blunder" mentioned in the title, according to the article is ... installing Huntress's agent. Do they look at every customer's google searches to see if they're suspicious too?

replies(5): >>45184436 #>>45185141 #>>45185166 #>>45185701 #>>45194025 #
2. neffy ◴[09 Sep 25 16:31 UTC] No.45184436[source]
It´s also a lot of assumptions. This probably is an attacker - or wannabe at least. But you could be a student or researcher working on a cyber security course looking and for some projects your search flow would look a lot like this.
replies(1): >>45185202 #
3. pizzalife ◴[09 Sep 25 17:15 UTC] No.45185141[source]
Indeed, this article makes them look bad. Seems completely tone deaf to release this as a puff piece about the product.
replies(1): >>45185322 #
4. mrbluecoat ◴[09 Sep 25 17:17 UTC] No.45185166[source]
I found that creepy too. Apparently `blunder == installing their software`
replies(2): >>45185294 #>>45187951 #
5. viccis ◴[09 Sep 25 17:20 UTC] No.45185202[source]
They mention in the write up that they correlated certain indicators with what they had seen in other attacks to be reasonably sure they knew this was an active attacker.

The problem to me is that this is the kind of thing you'd expect to see being done by a state intelligence organization with explicitly defined authorities to carry out surveillance of foreign attackers codified in law somewhere. For a private company to carry out a massive surveillance campaign against a target based on their own determination of the target's identity and to then publish all of that is much more legally questionable to me. It's already often ethically and legally murky enough when the state does it; for a private company to do it seems like they're operating well beyond their legal authority. I'd imagine (or hope I guess) that they have a lawyer who they consulted before this campaign as well as before this publication.

Either way, not a great advertisement for your EDR service to show everyone that you're shoulder surfing your customers' employees and potentially posting all that to the internet if you decide they're doing something wrong.

replies(1): >>45185325 #
6. fckgw ◴[09 Sep 25 17:25 UTC] No.45185294[source]
A threat actor installing software specifically designed to log and monitor attacks from threat actors would be considered a blunder, no?
7. cbisnett ◴[09 Sep 25 17:27 UTC] No.45185322[source]
Actually we just thought it was interesting that an attacker installed our EDR agent on the machine they use to attack their victims. That’s really bad operational security and we were able to learn a lot from that access.
replies(1): >>45186178 #
8. fckgw ◴[09 Sep 25 17:27 UTC] No.45185325{3}[source]
> The standout red flag was that the unique machine name used by the individual was the same as one that we had tracked in several incidents prior to them installing the agent.

The machine was already known to the company as belonging to a threat actor from previous activity

replies(2): >>45187645 #>>45187680 #
9. tgv ◴[09 Sep 25 17:54 UTC] No.45185701[source]
It's stated in the article: "The standout red flag was that the unique machine name used by the individual was the same as one that we had tracked in several incidents prior to them installing the agent."

However, it's obvious that protection-ware like this is essentially spyware with alerts. My company uses a similar service, and it includes a remote desktop tool, which I immediately blocked from auto-startup. But the whatever scanner sends things to some central service. All in the name of security.

replies(2): >>45186618 #>>45187201 #
10. ctoth ◴[09 Sep 25 18:20 UTC] No.45186178{3}[source]
What is weird to me is that you have access to this information at all? It would make sense for the people who use your software ... the IT departments or whatever to have access but why on earth do your engineers need access? What gates access to your customers' machines? What triggers a write-up like this? Hostnames, "machine names" are ... not unique by nature.
replies(1): >>45186646 #
11. boston_clone ◴[09 Sep 25 18:42 UTC] No.45186618[source]
Directly impinging the enterprise-approved security tooling is really not a good idea, no matter your own personal opinions on their functionality.

Unless maybe you just want to develop a more personal relationship with your internal cybersecurity team, who knows.

replies(1): >>45194693 #
12. cybergreg ◴[09 Sep 25 18:43 UTC] No.45186646{4}[source]
Huntress is a cybersecurity company. They’re specifically hired for this purpose, to protect the company and its assets.

As far as unique identifiers go, advertisers use a unique fingerprint of your browser to target you individually. Cookies, JavaScript, screen size, etc, are all used.

replies(2): >>45187357 #>>45189950 #
13. coppsilgold ◴[09 Sep 25 19:12 UTC] No.45187201[source]
I would assume any machine not owned by me is fully compromised and there is no recovery possible. And treat it accordingly, such as using it just for the purpose the owner of the machine dictates assuming I value that relationship.

The startup script you blocked could have just been a decoy. And set off a red flag.

A lot of these EDR's operate in kernel space.

14. ctoth ◴[09 Sep 25 19:22 UTC] No.45187357{5}[source]
The article states that the "attacker" downloaded the software via a Google ad, not deployed by their corporate IT.

I'm also slightly curious as to if you might be associated with an EDR vendor? I notice that you only have three comments ever, and they all seem to be defending how EDR software and Huntress works without engaging with this specific instance.

replies(3): >>45188059 #>>45191259 #>>45193557 #
15. bornfreddy ◴[09 Sep 25 19:41 UTC] No.45187645{4}[source]
That's not very convincing. They still abused trust placed in them - by an active attacker, granted, but still... This seems like a legally risky move and it doesn't inspire trust in Huntress.
replies(1): >>45188579 #
16. viccis ◴[09 Sep 25 19:43 UTC] No.45187680{4}[source]
That is what I said, yes.
17. moffkalast ◴[09 Sep 25 20:01 UTC] No.45187951[source]
Well they aren't wrong. Crowdstrike showed how much of a blunder it can become.
18. moffkalast ◴[09 Sep 25 20:06 UTC] No.45188059{6}[source]
Yeah they're in full damage control after realizing how out of touch they are when not talking to corporate suits for once.
19. fckgw ◴[09 Sep 25 20:36 UTC] No.45188579{5}[source]
Who's trust? Their job is to hunt down and research threat actors. The information gained from this is used to better protect their enterprise customers.

This gains more trust with their customers and breaking trust with ... threat actors?

replies(1): >>45188879 #
20. viccis ◴[09 Sep 25 20:52 UTC] No.45188879{6}[source]
>Who's trust? Their job is to hunt down and research threat actors

No, their job is to provide EDR protection for their customers.

replies(1): >>45191211 #
21. ◴[09 Sep 25 22:05 UTC] No.45189950{5}[source]
22. cybergreg ◴[09 Sep 25 23:55 UTC] No.45191211{7}[source]
Threat intelligence is a thing.in fact there’s entire companies that sell just that. In fact, there’s entire government organizations that do just that.
23. cybergreg ◴[10 Sep 25 00:00 UTC] No.45191259{6}[source]
Again, threat actors are well aware of what they’re downloading. FWIW I’m an offsec specialist. I spend a lot of time bypassing EDR. Im just shocked at how little this crowd is aware of OpSec and threat intel. I’ll crawl back into my Reddit hole
24. FreakLegion ◴[10 Sep 25 05:10 UTC] No.45193557{6}[source]
If you just want a different source, I can vouch for what cybergreg is saying.

Cybersecurity companies aren't passive data collectors like, say, Dropbox. They actively hunt for attacks in the data. To be clear, this goes way beyond MDR or EDR. The email security companies are hunting in your email, the network security companies are hunting in your network logs, so on. When they find things, they pick up the phone, and sometimes save you from wiring a million dollars to a bad guy or whatever.

The customer likes this very much, even if individual employees don't.

25. beefnugs ◴[10 Sep 25 06:28 UTC] No.45194025[source]
Well lets be real, you dont decide one day "today is the day we read one users entire history" and BLAMMO its a hacker! Lets keep reading!
26. jacquesm ◴[10 Sep 25 08:07 UTC] No.45194693{3}[source]
Or with the HR team and the corporate security guys assisting your departure from the building holding a small cardboard box.