Most active commenters
  • isatsam(3)
  • spogbiper(3)

←back to thread

An attacker’s blunder gave us a look into their operations

(www.huntress.com)
154 points mellosouls | 16 comments | 09 Sep 25 15:42 UTC | HN request time: 1.651s | source | bottom
Show context
isatsam ◴[09 Sep 25 16:17 UTC] No.45184197[source]
I don't work in cybersecurity and, after looking at the site's homepage, couldn't exactly figure out from all the buzzwords what exactly is this product. The most concerning takeaway from this article for me is that the maintainers of Huntress (whatever it is) can keep a log of, as well as personally access, the users' browser history, history of launched executables, device's hostname, and presumably a lot of other information. How is this product not a total security nightmare?
replies(12): >>45184282 #>>45184376 #>>45184533 #>>45184902 #>>45185067 #>>45185111 #>>45185367 #>>45185677 #>>45185868 #>>45185950 #>>45186020 #>>45190165 #
1. cbisnett ◴[09 Sep 25 17:30 UTC] No.45185367[source]
Thanks for the feedback on not understanding what we sell from the homepage. We sell an Endpoint Detection and Response (EDR) product that we manage with our 24/7 SOC. To perform the investigations on potentially malicious activity, we can fetch files from the endpoint and review them. We log all of this activity and make it available to our customers. We are an extension of their security team, which means they trust us with this access. We’ve been doing this for more than 10 years and have built up a pretty good reputation, but I can see how that would freak some folks out. We also sell to businesses, so this is something that would be installed on a work computer.
replies(3): >>45185521 #>>45185882 #>>45187740 #
2. isatsam ◴[09 Sep 25 17:41 UTC] No.45185521[source]
How was an individual user (in this article's case, a phishing sites developer) able to install your software and seemingly not notice the level of access they gave you to their computer?
replies(2): >>45185683 #>>45186865 #
3. cbisnett ◴[09 Sep 25 17:53 UTC] No.45185683[source]
Windows doesn’t have application permissions like Mac, iOS, and Android. An app doesn’t specify what it need to be able to do, it inherits the permissions of the user that launched it. Not a great permissions model, but it’s legacy all the way back to the earliest versions of Windows.
replies(1): >>45185869 #
4. isatsam ◴[09 Sep 25 18:04 UTC] No.45185869{3}[source]
This is a surprising response - I was expecting something like "they clicked past an alert notifying that they were giving us this level of access". Just because Windows only has a generic password prompt whenever an app wants to do something dangerous, doesn't mean you can't inform the user via your app's own UI. Others like AnyDesk do exactly that.
replies(2): >>45186274 #>>45186345 #
5. poemxo ◴[09 Sep 25 18:05 UTC] No.45185882[source]
Is it clear to users that their system is monitored and that they have consented to screengrabbing? Unless those screenshots were merely simulated from the Chrome history.
replies(1): >>45186155 #
6. spogbiper ◴[09 Sep 25 18:19 UTC] No.45186155[source]
This would generally be covered in your corporate acceptable use policy or employee handbook, where ever your employer describes what is allowable on corporate devices and what is monitored when you use them. Some companies also display a notification when you log in along the lines of "This is an XYZ Corp system, all activity is logged and monitored for malicious behavior"

in general, if you're using a company owned device (the target for this product and many others like it) you should always assume everything is logged

replies(2): >>45186647 #>>45186666 #
7. cybergreg ◴[09 Sep 25 18:25 UTC] No.45186274{4}[source]
You’re really missing the point here. Huntress is an MDR, a cybersecurity company. They protect the endpoint by monitoring it for malicious activity and responding in kind. It’s what they do, not unlike Crowdstrike, Microsoft, etc. Generally a threat actor will install a security agent like this to find a bypass in order to attack more victims. They know exactly what they’re doing.
replies(1): >>45192830 #
8. spogbiper ◴[09 Sep 25 18:28 UTC] No.45186345{4}[source]
this product is typically silently mass deployed to all systems within an organization, completely unknown to the individual users. afaik there is no user interface or way to interact with the software from the computer, its all managed in a central web console
9. hyperman1 ◴[09 Sep 25 18:43 UTC] No.45186647{3}[source]
Is this true outside the USA?

In the EU, employees have an expectation of privacy even on their corporate laptop. It is common for e.g. union workers to use corporate email to communicate, and the employer is not allowed to breach privacy here. Even chatter between worker is reasonably private by default.

I suspect, if the attacker is inside the EU, this article is technically a blatant breach of the GDPR. Not that the attacker will sue you for it, but customers might find this discomforting.

replies(2): >>45187234 #>>45187789 #
10. cybergreg ◴[09 Sep 25 18:44 UTC] No.45186666{3}[source]
In the US, on a corporate owned device there is no expectation of privacy.
11. pcthrowaway ◴[09 Sep 25 18:53 UTC] No.45186865[source]
Poor english skills if I had to guess; the article mentions they had to translate things, and they didn't read the ToS.
12. spogbiper ◴[09 Sep 25 19:14 UTC] No.45187234{4}[source]
It's an interesting question. Services like Huntress (there are many similar) only work by looking at what is happening on the computer. To some degree they are automated but there is a human review element to all of them where ultimately some person A will be looking at what some other person B did on the system. Not publishing it in a blog like this, but definitely violating the privacy of the valid user and/or a bad guy to some degree
13. viccis ◴[09 Sep 25 19:47 UTC] No.45187740[source]
>We are an extension of their security team, which means they trust us with this access

So if <bad actor> in this writeup read your pitch and decided to install your agent to secure their attack machine, it sounds like they "trusted you with this access". You used that access to surveil them, decide that you didn't approve of their illegal activity, and publish it to the internet.

Why should any company "trust you with this access"? If one of your customers is doing what looks to one of your analysts to be cooking their books, do you surveil all of that activity and then make a blog post about them? "Hey everyone here, it's Huntress showing how <company> made the blunder of giving us access to their systems, so we did a little surprise finance audit of them!"

14. viccis ◴[09 Sep 25 19:51 UTC] No.45187789{4}[source]
I can't imagine pen testers would be able to work in the EU without being able to access individual workstations without the users' knowledge.

The key difference here is that pen testing, as well as IT testing, is very explicitly scoped out in a legal contract, and part of that is that users have to told to consent to monitoring for relevant business purposes.

What happened in this blogpost is still outside of that scope, obviously. I doubt that Huntress could make the claim that their customer here was clearly told that they would be possibly monitoring their activity in the same way that a "Content to Monitoring" popup for every login on corporate machines does it.

15. VladVladikoff ◴[10 Sep 25 03:25 UTC] No.45192830{5}[source]
>They know exactly what they’re doing.

Strongly disagree. If they installed this to do some analysis they would have done that in a VM if they “knew exactly what they were doing”.

Either you snared a script kiddy, or your software download and install process that followed that google ads click was highly questionable.

replies(1): >>45194637 #
16. galaxy_gas ◴[10 Sep 25 07:59 UTC] No.45194637{6}[source]
I think it´s obvious from the browser history in the blog posting that script kiddy is for sure