←back to thread

An attacker’s blunder gave us a look into their operations

(www.huntress.com)
154 points mellosouls | 7 comments | 09 Sep 25 15:42 UTC | HN request time: 0.001s | source | bottom
Show context
isatsam ◴[09 Sep 25 16:17 UTC] No.45184197[source]
I don't work in cybersecurity and, after looking at the site's homepage, couldn't exactly figure out from all the buzzwords what exactly is this product. The most concerning takeaway from this article for me is that the maintainers of Huntress (whatever it is) can keep a log of, as well as personally access, the users' browser history, history of launched executables, device's hostname, and presumably a lot of other information. How is this product not a total security nightmare?
replies(12): >>45184282 #>>45184376 #>>45184533 #>>45184902 #>>45185067 #>>45185111 #>>45185367 #>>45185677 #>>45185868 #>>45185950 #>>45186020 #>>45190165 #
skulk ◴[09 Sep 25 16:22 UTC] No.45184282[source]
It looks like Huntress is a "install this on your computer and we'll watch over your systems and keep you safe, for sure."

I also find it kind of funny that the "blunder" mentioned in the title, according to the article is ... installing Huntress's agent. Do they look at every customer's google searches to see if they're suspicious too?

replies(5): >>45184436 #>>45185141 #>>45185166 #>>45185701 #>>45194025 #
neffy ◴[09 Sep 25 16:31 UTC] No.45184436[source]
It´s also a lot of assumptions. This probably is an attacker - or wannabe at least. But you could be a student or researcher working on a cyber security course looking and for some projects your search flow would look a lot like this.
replies(1): >>45185202 #
1. viccis ◴[09 Sep 25 17:20 UTC] No.45185202[source]
They mention in the write up that they correlated certain indicators with what they had seen in other attacks to be reasonably sure they knew this was an active attacker.

The problem to me is that this is the kind of thing you'd expect to see being done by a state intelligence organization with explicitly defined authorities to carry out surveillance of foreign attackers codified in law somewhere. For a private company to carry out a massive surveillance campaign against a target based on their own determination of the target's identity and to then publish all of that is much more legally questionable to me. It's already often ethically and legally murky enough when the state does it; for a private company to do it seems like they're operating well beyond their legal authority. I'd imagine (or hope I guess) that they have a lawyer who they consulted before this campaign as well as before this publication.

Either way, not a great advertisement for your EDR service to show everyone that you're shoulder surfing your customers' employees and potentially posting all that to the internet if you decide they're doing something wrong.

replies(1): >>45185325 #
2. fckgw ◴[09 Sep 25 17:27 UTC] No.45185325[source]
> The standout red flag was that the unique machine name used by the individual was the same as one that we had tracked in several incidents prior to them installing the agent.

The machine was already known to the company as belonging to a threat actor from previous activity

replies(2): >>45187645 #>>45187680 #
3. bornfreddy ◴[09 Sep 25 19:41 UTC] No.45187645[source]
That's not very convincing. They still abused trust placed in them - by an active attacker, granted, but still... This seems like a legally risky move and it doesn't inspire trust in Huntress.
replies(1): >>45188579 #
4. viccis ◴[09 Sep 25 19:43 UTC] No.45187680[source]
That is what I said, yes.
5. fckgw ◴[09 Sep 25 20:36 UTC] No.45188579{3}[source]
Who's trust? Their job is to hunt down and research threat actors. The information gained from this is used to better protect their enterprise customers.

This gains more trust with their customers and breaking trust with ... threat actors?

replies(1): >>45188879 #
6. viccis ◴[09 Sep 25 20:52 UTC] No.45188879{4}[source]
>Who's trust? Their job is to hunt down and research threat actors

No, their job is to provide EDR protection for their customers.

replies(1): >>45191211 #
7. cybergreg ◴[09 Sep 25 23:55 UTC] No.45191211{5}[source]
Threat intelligence is a thing.in fact there’s entire companies that sell just that. In fact, there’s entire government organizations that do just that.