←back to thread

An attacker’s blunder gave us a look into their operations

(www.huntress.com)
154 points mellosouls | 8 comments | 09 Sep 25 15:42 UTC | HN request time: 0.349s | source | bottom
Show context
isatsam ◴[09 Sep 25 16:17 UTC] No.45184197[source]
I don't work in cybersecurity and, after looking at the site's homepage, couldn't exactly figure out from all the buzzwords what exactly is this product. The most concerning takeaway from this article for me is that the maintainers of Huntress (whatever it is) can keep a log of, as well as personally access, the users' browser history, history of launched executables, device's hostname, and presumably a lot of other information. How is this product not a total security nightmare?
replies(12): >>45184282 #>>45184376 #>>45184533 #>>45184902 #>>45185067 #>>45185111 #>>45185367 #>>45185677 #>>45185868 #>>45185950 #>>45186020 #>>45190165 #
skulk ◴[09 Sep 25 16:22 UTC] No.45184282[source]
It looks like Huntress is a "install this on your computer and we'll watch over your systems and keep you safe, for sure."

I also find it kind of funny that the "blunder" mentioned in the title, according to the article is ... installing Huntress's agent. Do they look at every customer's google searches to see if they're suspicious too?

replies(5): >>45184436 #>>45185141 #>>45185166 #>>45185701 #>>45194025 #
pizzalife ◴[09 Sep 25 17:15 UTC] No.45185141[source]
Indeed, this article makes them look bad. Seems completely tone deaf to release this as a puff piece about the product.
replies(1): >>45185322 #
1. cbisnett ◴[09 Sep 25 17:27 UTC] No.45185322[source]
Actually we just thought it was interesting that an attacker installed our EDR agent on the machine they use to attack their victims. That’s really bad operational security and we were able to learn a lot from that access.
replies(1): >>45186178 #
2. ctoth ◴[09 Sep 25 18:20 UTC] No.45186178[source]
What is weird to me is that you have access to this information at all? It would make sense for the people who use your software ... the IT departments or whatever to have access but why on earth do your engineers need access? What gates access to your customers' machines? What triggers a write-up like this? Hostnames, "machine names" are ... not unique by nature.
replies(1): >>45186646 #
3. cybergreg ◴[09 Sep 25 18:43 UTC] No.45186646[source]
Huntress is a cybersecurity company. They’re specifically hired for this purpose, to protect the company and its assets.

As far as unique identifiers go, advertisers use a unique fingerprint of your browser to target you individually. Cookies, JavaScript, screen size, etc, are all used.

replies(2): >>45187357 #>>45189950 #
4. ctoth ◴[09 Sep 25 19:22 UTC] No.45187357{3}[source]
The article states that the "attacker" downloaded the software via a Google ad, not deployed by their corporate IT.

I'm also slightly curious as to if you might be associated with an EDR vendor? I notice that you only have three comments ever, and they all seem to be defending how EDR software and Huntress works without engaging with this specific instance.

replies(3): >>45188059 #>>45191259 #>>45193557 #
5. moffkalast ◴[09 Sep 25 20:06 UTC] No.45188059{4}[source]
Yeah they're in full damage control after realizing how out of touch they are when not talking to corporate suits for once.
6. ◴[09 Sep 25 22:05 UTC] No.45189950{3}[source]
7. cybergreg ◴[10 Sep 25 00:00 UTC] No.45191259{4}[source]
Again, threat actors are well aware of what they’re downloading. FWIW I’m an offsec specialist. I spend a lot of time bypassing EDR. Im just shocked at how little this crowd is aware of OpSec and threat intel. I’ll crawl back into my Reddit hole
8. FreakLegion ◴[10 Sep 25 05:10 UTC] No.45193557{4}[source]
If you just want a different source, I can vouch for what cybergreg is saying.

Cybersecurity companies aren't passive data collectors like, say, Dropbox. They actively hunt for attacks in the data. To be clear, this goes way beyond MDR or EDR. The email security companies are hunting in your email, the network security companies are hunting in your network logs, so on. When they find things, they pick up the phone, and sometimes save you from wiring a million dollars to a bad guy or whatever.

The customer likes this very much, even if individual employees don't.