Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
neffy 3 days ago

It´s also a lot of assumptions. This probably is an attacker - or wannabe at least. But you could be a student or researcher working on a cyber security course looking and for some projects your search flow would look a lot like this.

viccis 3 days ago | parent [-]

They mention in the write up that they correlated certain indicators with what they had seen in other attacks to be reasonably sure they knew this was an active attacker.

The problem to me is that this is the kind of thing you'd expect to see being done by a state intelligence organization with explicitly defined authorities to carry out surveillance of foreign attackers codified in law somewhere. For a private company to carry out a massive surveillance campaign against a target based on their own determination of the target's identity and to then publish all of that is much more legally questionable to me. It's already often ethically and legally murky enough when the state does it; for a private company to do it seems like they're operating well beyond their legal authority. I'd imagine (or hope I guess) that they have a lawyer who they consulted before this campaign as well as before this publication.

Either way, not a great advertisement for your EDR service to show everyone that you're shoulder surfing your customers' employees and potentially posting all that to the internet if you decide they're doing something wrong.

fckgw 3 days ago | parent [-]

> The standout red flag was that the unique machine name used by the individual was the same as one that we had tracked in several incidents prior to them installing the agent.

The machine was already known to the company as belonging to a threat actor from previous activity

glitchc 2 days ago | parent | next [-]

Yes, but only according to the company's own logs, which were not externally validated. To rephrase, the company thinks this was an active attacker based on logs its own tool generates. It does not discount the possibility that the tool generated erroneous logs or identified the wrong machine(s).

bornfreddy 3 days ago | parent | prev | next [-]

That's not very convincing. They still abused trust placed in them - by an active attacker, granted, but still... This seems like a legally risky move and it doesn't inspire trust in Huntress.

fckgw 3 days ago | parent [-]

Who's trust? Their job is to hunt down and research threat actors. The information gained from this is used to better protect their enterprise customers.

This gains more trust with their customers and breaking trust with ... threat actors?

viccis 3 days ago | parent [-]

>Who's trust? Their job is to hunt down and research threat actors

No, their job is to provide EDR protection for their customers.

cybergreg 3 days ago | parent [-]

Threat intelligence is a thing.in fact there’s entire companies that sell just that. In fact, there’s entire government organizations that do just that.

viccis 2 days ago | parent [-]

Sure but that's not what their customer was engaging with them to do. It's not ethical to sell "EDR" services and then use that access to spy on your customers for intelligence purposes.

viccis 3 days ago | parent | prev [-]

That is what I said, yes.