←back to thread

An attacker’s blunder gave us a look into their operations

(www.huntress.com)
154 points mellosouls | 4 comments | 09 Sep 25 15:42 UTC | HN request time: 0.624s | source
Show context
isatsam ◴[09 Sep 25 16:17 UTC] No.45184197[source]
I don't work in cybersecurity and, after looking at the site's homepage, couldn't exactly figure out from all the buzzwords what exactly is this product. The most concerning takeaway from this article for me is that the maintainers of Huntress (whatever it is) can keep a log of, as well as personally access, the users' browser history, history of launched executables, device's hostname, and presumably a lot of other information. How is this product not a total security nightmare?
replies(12): >>45184282 #>>45184376 #>>45184533 #>>45184902 #>>45185067 #>>45185111 #>>45185367 #>>45185677 #>>45185868 #>>45185950 #>>45186020 #>>45190165 #
skulk ◴[09 Sep 25 16:22 UTC] No.45184282[source]
It looks like Huntress is a "install this on your computer and we'll watch over your systems and keep you safe, for sure."

I also find it kind of funny that the "blunder" mentioned in the title, according to the article is ... installing Huntress's agent. Do they look at every customer's google searches to see if they're suspicious too?

replies(5): >>45184436 #>>45185141 #>>45185166 #>>45185701 #>>45194025 #
1. tgv ◴[09 Sep 25 17:54 UTC] No.45185701[source]
It's stated in the article: "The standout red flag was that the unique machine name used by the individual was the same as one that we had tracked in several incidents prior to them installing the agent."

However, it's obvious that protection-ware like this is essentially spyware with alerts. My company uses a similar service, and it includes a remote desktop tool, which I immediately blocked from auto-startup. But the whatever scanner sends things to some central service. All in the name of security.

replies(2): >>45186618 #>>45187201 #
2. boston_clone ◴[09 Sep 25 18:42 UTC] No.45186618[source]
Directly impinging the enterprise-approved security tooling is really not a good idea, no matter your own personal opinions on their functionality.

Unless maybe you just want to develop a more personal relationship with your internal cybersecurity team, who knows.

replies(1): >>45194693 #
3. coppsilgold ◴[09 Sep 25 19:12 UTC] No.45187201[source]
I would assume any machine not owned by me is fully compromised and there is no recovery possible. And treat it accordingly, such as using it just for the purpose the owner of the machine dictates assuming I value that relationship.

The startup script you blocked could have just been a decoy. And set off a red flag.

A lot of these EDR's operate in kernel space.

4. jacquesm ◴[10 Sep 25 08:07 UTC] No.45194693[source]
Or with the HR team and the corporate security guys assisting your departure from the building holding a small cardboard box.