17 comments

[ 3.5 ms ] story [ 36.3 ms ] thread
Disturbing that they would be proud enough of spying on their users to post this. Threat intelligence is nearly as bad as the threats themselves. From crowdstrike destroying computer systems to this type of spying on their own users, who wants to trust these people? What happened to holding microsoft accountable for the security of their products?
I don't work in cybersecurity and, after looking at the site's homepage, couldn't exactly figure out from all the buzzwords what exactly is this product. The most concerning takeaway from this article for me is that the maintainers of Huntress (whatever it is) can keep a log of, as well as personally access, the users' browser history, history of launched executables, device's hostname, and presumably a lot of other information. How is this product not a total security nightmare?
Having worked in the computer security world for many years and been completely on board with the "it's good to open source attack tools so that everyone knows what can be done", it's still sometimes hard not to feel like a useful idiot when I see attackers operating with big stacks of almost all open source tooling that are now mature and full featured enough to make almost any skid into a decently effective procurer and vendor of stolen information with a bit of effort.
(comment deleted)
Reading through the article, the "hacker" was pretty naive and junior, installing an EDR on his hacking box. Or it was just a way to distract you guys ;)
I caught that feeling through the whole article. Like, was this user really that distracted or inept to forget he installed a Huntress trial, or was this all for some larger, more insidious reason, or distraction?
I don't understand how "we actively spy on our customers and blog about it" is a viable marketing strategy..?
Cool insight into a (novice?) threat actor's operations and tooling. I personally knew nothing of "residential proxies" like LunaProxy so I learned something new
I personally would be careful about that sort of thing. I would imagine that few people would want to run a proxy on their home computer that can be accessed by others - and if they did, they'd probably have a specific reason for it, and thus would be looking for specific ways to make that proxy available to the people who they feel would want to use it.

So, I can only assume that a lot of residential machines that have proxies on them offered by companies like these have actually had those proxies installed by malware. The company themselves may not even be aware of this.

(I'm not saying that LunaProxy in particular is like this. I actually have never heard of LunaProxy before now, so the above may not even apply to it. Regardless, it's still worth applying caution.)

A lot of us are missing what actually happened here.

Some random person downloaded Huntress to try it out. Not a company. Not through IT. Just clicked "start trial" like you might with any software. Were they trying to figure out how to get around it? We have no idea!

Huntress employees then decided - based on a hostname that matched something in their private database - to watch everything this person did for three months. Their browser history, their work patterns, what tools they used, when they took breaks.

Then they published it.

The "but EDR needs these permissions!" comments are completely missing the point. Yeah, we know EDR is basically spyware. The issue is that Huntress engineers personally have access to trial user data and apparently just... browse it when they feel like it? Based on hostname matches???

Think about what they're saying: they run every trial signup against their threat intel database. If you match their criteria - which could be as weak as a hostname collision - their engineers start watching you. No warrant. No customer requesting it. No notification. Just "this looks interesting, let's see what they're up to."

Their ToS probably says something vague about "security monitoring" but I doubt it says "we reserve the right to extensively surveil individual trial users for months and publish the results if we think you're suspicious." And even if it did, that doesn't make it right or legal.

They got lucky this time - caught an actual attacker. But what about next time? What about the security researcher whose hostname happens to match? The pentester evaluating their product? Hell, what about corporate users whose hostname accidentally matches something in their database?

The fact that they thought publishing this was a good idea tells you a lot. This isn't some one-off investigation. This is apparently? how they operate.

> caught an actual attacker. But what about next time?

What about the time before this where it wasn't an attacker, so they didn't write an article about it, and so we never found out about it?

Why would they NOT do this? They are a fucking cyber security company. It should be no surprise to anyone that a company that specializes in endpoint security software would be analyzing this shit non-stop, even for trial versions that users run. That's how their software works!
While amusing it probably isn't particularly informative.

A person like that obviously has extremely poor operational security and is therefore of low competence.

Competent actors likely utilize virtualization or in cases where the software is adversarial and may reveal virtualization, physical machines (eg. cheap Mini PC's) with isolated and managed networks (eg. connections routed through a commercial VPN or a residential proxy) not under the control of the machine.

Also styxmmarket doesn't appear to be in any way a dark web marketplace/forum. It doesn't even have an onion address? It has a .com domain, something that should be easy for the authorities to seize. Probably is a honeypot of some kind.

A bunch of commenters are confused how this "blunder" even happened. I was too, except I recognized the company name. They have a history of making up or completely misunderstanding their own software. They make EDR products which trigger "events" except they don't really have the knowledge to triage them, so they come up with wild explanations for them that involve threat actors and anomalies which are not real. For example, earlier they posted this to their Twitter account: https://twitter.com/HuntressLabs/status/1865111713948852572

Anyone who knows anything about macOS knows that it is not possible to disable System Integrity Protection without rebooting into recovery (an environment that it is not possible to actually get events from). So their "detection" is just some random guy typing "csrutil disable" in their terminal and it doing absolutely nothing. I would not be surprised if there is some similar dumb explanation here that they missed, which would make for a substantially less interesting story.

Unrelated story; how politician gave us a look into their financial adventures.

I am curious where the red line is.

Any criminal activity or just behavior that the analysts find interesting?

> Like most good stories, this one starts in the middle and works its way back and forth

Don't tell me your story is "good," let me read it and I'll be the judge of that.