Huntress
@huntress.com
Managed endpoint protection, detection and response designed to help the 99% fight back against today’s cybercriminals.
A construction company recently suffered a VPN brute-force attack, but didn't have SIEM monitoring!
The absence of a SIEM led to a 18-minute gap, giving the attacker enough time to attempt to steal credentials - but fortunately the Huntress EDR shut it down.
The absence of a SIEM led to a 18-minute gap, giving the attacker enough time to attempt to steal credentials - but fortunately the Huntress EDR shut it down.
May 13, 2025 at 4:31 PM
A construction company recently suffered a VPN brute-force attack, but didn't have SIEM monitoring!
The absence of a SIEM led to a 18-minute gap, giving the attacker enough time to attempt to steal credentials - but fortunately the Huntress EDR shut it down.
The absence of a SIEM led to a 18-minute gap, giving the attacker enough time to attempt to steal credentials - but fortunately the Huntress EDR shut it down.
Our SOC tackled an attempted ransomware intrusion tied to Makop ransomware tactics. Here’s what went down 👇
🎯 Initial Entry Point: Brute-forced an exposed RDP service (don’t skip reviewing your external perimeters!).
🗺️ Enumeration & Credential Targeting: Ran a network scan using netscan.exe.
🎯 Initial Entry Point: Brute-forced an exposed RDP service (don’t skip reviewing your external perimeters!).
🗺️ Enumeration & Credential Targeting: Ran a network scan using netscan.exe.
May 8, 2025 at 3:30 PM
Our SOC tackled an attempted ransomware intrusion tied to Makop ransomware tactics. Here’s what went down 👇
🎯 Initial Entry Point: Brute-forced an exposed RDP service (don’t skip reviewing your external perimeters!).
🗺️ Enumeration & Credential Targeting: Ran a network scan using netscan.exe.
🎯 Initial Entry Point: Brute-forced an exposed RDP service (don’t skip reviewing your external perimeters!).
🗺️ Enumeration & Credential Targeting: Ran a network scan using netscan.exe.
🚨Samsung MagicINFO 9 Server (v21.1050.0) is still vulnerable to a publicly available PoC.
We’ve observed active exploitation in the wild. Ensure your server is not internet-facing until a proper fix is available.
Full details + mitigation steps ➡️ bit.ly/44nkzhL
We’ve observed active exploitation in the wild. Ensure your server is not internet-facing until a proper fix is available.
Full details + mitigation steps ➡️ bit.ly/44nkzhL
I've confirmed Samsung's MagicINFO 21.1050 is VULNERABLE to the publicly reported POC in the blog below.
ssd-disclosure.com/ssd-advisory...
The media is reporting this as CVE-2024-7399, but if it is then the patch is incomplete. There is currently NO PATCH AVAILABLE!
ssd-disclosure.com/ssd-advisory...
The media is reporting this as CVE-2024-7399, but if it is then the patch is incomplete. There is currently NO PATCH AVAILABLE!
May 7, 2025 at 6:43 PM
🚨Samsung MagicINFO 9 Server (v21.1050.0) is still vulnerable to a publicly available PoC.
We’ve observed active exploitation in the wild. Ensure your server is not internet-facing until a proper fix is available.
Full details + mitigation steps ➡️ bit.ly/44nkzhL
We’ve observed active exploitation in the wild. Ensure your server is not internet-facing until a proper fix is available.
Full details + mitigation steps ➡️ bit.ly/44nkzhL
We’ve shared many stories about exposed RDP without MFA. Why? Because it’s a common AF, threat actors waste no time exploiting it.
What makes this SOC Story from a dental facility stand out: in under 30 minutes, the attack went from initial access to attempted ransomware deployment.
What makes this SOC Story from a dental facility stand out: in under 30 minutes, the attack went from initial access to attempted ransomware deployment.
May 6, 2025 at 3:42 PM
We’ve shared many stories about exposed RDP without MFA. Why? Because it’s a common AF, threat actors waste no time exploiting it.
What makes this SOC Story from a dental facility stand out: in under 30 minutes, the attack went from initial access to attempted ransomware deployment.
What makes this SOC Story from a dental facility stand out: in under 30 minutes, the attack went from initial access to attempted ransomware deployment.
[email protected] is a modern-day Doc Holliday. A lawman so feared that threat actors flee at the mere mention of his name…
Introducing Celestial Stealer, a notorious infostealer with a surprising connection to Huntress.
Introducing Celestial Stealer, a notorious infostealer with a surprising connection to Huntress.
May 5, 2025 at 3:27 PM
[email protected] is a modern-day Doc Holliday. A lawman so feared that threat actors flee at the mere mention of his name…
Introducing Celestial Stealer, a notorious infostealer with a surprising connection to Huntress.
Introducing Celestial Stealer, a notorious infostealer with a surprising connection to Huntress.
🐶 A vulnerability left an animal care facility wide open, and an attacker didn’t hesitate to pounce. Here’s how it unfolded 👇
April 30, 2025 at 7:40 PM
🐶 A vulnerability left an animal care facility wide open, and an attacker didn’t hesitate to pounce. Here’s how it unfolded 👇
Reposted by Huntress
Some good takeaways from @huntress.com’s recent Tradecraft Tuesday ft. Patrick Wardle:
-The impact of Apple bringing TCC events to Endpoint Security
-#Mac malware persistence techniques vs BTM
-Security alert inundation for #macOS users
Catch up here⤵️
www.huntress.com/blog/say-hel...
-The impact of Apple bringing TCC events to Endpoint Security
-#Mac malware persistence techniques vs BTM
-Security alert inundation for #macOS users
Catch up here⤵️
www.huntress.com/blog/say-hel...
Say Hello to Mac Malware | Huntress
In this month’s Tradecraft Tuesday, we talked about how threat actors are finetuning their macOS malware in order to maintain persistent access and avoid detection by Apple’s security features.
www.huntress.com
April 23, 2025 at 1:15 PM
Some good takeaways from @huntress.com’s recent Tradecraft Tuesday ft. Patrick Wardle:
-The impact of Apple bringing TCC events to Endpoint Security
-#Mac malware persistence techniques vs BTM
-Security alert inundation for #macOS users
Catch up here⤵️
www.huntress.com/blog/say-hel...
-The impact of Apple bringing TCC events to Endpoint Security
-#Mac malware persistence techniques vs BTM
-Security alert inundation for #macOS users
Catch up here⤵️
www.huntress.com/blog/say-hel...
Huntress continues to observe in-the-wild exploitation of CVE-2025-30406, a critical vulnerability in Gladinet CentreStack and Triofox
April 22, 2025 at 1:07 PM
Huntress continues to observe in-the-wild exploitation of CVE-2025-30406, a critical vulnerability in Gladinet CentreStack and Triofox
A threat actor brute forced a manufacturer's VPN appliance 🏭 Here’s what happened👇
📌 Successfully compromised one account for initial access
📌 Enumerated the domain, focusing on trust relationships and domain controllers
📌 Modified the registry and local firewall to enable lateral RDP movement
📌 Successfully compromised one account for initial access
📌 Enumerated the domain, focusing on trust relationships and domain controllers
📌 Modified the registry and local firewall to enable lateral RDP movement
April 17, 2025 at 2:57 PM
A threat actor brute forced a manufacturer's VPN appliance 🏭 Here’s what happened👇
📌 Successfully compromised one account for initial access
📌 Enumerated the domain, focusing on trust relationships and domain controllers
📌 Modified the registry and local firewall to enable lateral RDP movement
📌 Successfully compromised one account for initial access
📌 Enumerated the domain, focusing on trust relationships and domain controllers
📌 Modified the registry and local firewall to enable lateral RDP movement
Exposed RDP can lead to anything—even attempted ransomware attacks. Here’s what went down at this manufacturing business👇
April 16, 2025 at 3:29 PM
Exposed RDP can lead to anything—even attempted ransomware attacks. Here’s what went down at this manufacturing business👇
Huntress has observed in-the-wild exploitation of CVE-2025-30406, a critical vulnerability in the Gladinet CentreStack enterprise file-sharing platform.
April 14, 2025 at 12:53 AM
Huntress has observed in-the-wild exploitation of CVE-2025-30406, a critical vulnerability in the Gladinet CentreStack enterprise file-sharing platform.
Threat actors can gain access to your network through an account that’s already on your system.
The built-in Windows Guest account is often overlooked because it’s usually disabled by default—but that’s exactly what makes it a stealthy tool for attackers to exploit.
The built-in Windows Guest account is often overlooked because it’s usually disabled by default—but that’s exactly what makes it a stealthy tool for attackers to exploit.
April 8, 2025 at 5:19 PM
Threat actors can gain access to your network through an account that’s already on your system.
The built-in Windows Guest account is often overlooked because it’s usually disabled by default—but that’s exactly what makes it a stealthy tool for attackers to exploit.
The built-in Windows Guest account is often overlooked because it’s usually disabled by default—but that’s exactly what makes it a stealthy tool for attackers to exploit.
Huntress researchers recently analyzed attacks involving CVE-2025-31161, a critical authentication bypass flaw in CrushFTP.
💡 We observed specific post-exploitation activity used by threat actors leveraging the flaw in the wild
💡 We observed specific post-exploitation activity used by threat actors leveraging the flaw in the wild
April 7, 2025 at 6:10 PM
Huntress researchers recently analyzed attacks involving CVE-2025-31161, a critical authentication bypass flaw in CrushFTP.
💡 We observed specific post-exploitation activity used by threat actors leveraging the flaw in the wild
💡 We observed specific post-exploitation activity used by threat actors leveraging the flaw in the wild
CVE-2025-31161 is the latest example of a critical severity authentication bypass vulnerability in CrushFTP, a growing trend we’re seeing from attackers targeting managed file transfer (MFT) platforms.
April 4, 2025 at 9:56 PM
CVE-2025-31161 is the latest example of a critical severity authentication bypass vulnerability in CrushFTP, a growing trend we’re seeing from attackers targeting managed file transfer (MFT) platforms.
Things you might spot in a #smishing text ⬇️
✅ Sketchy phone number: Pretty sure the USPS isn’t sending out texts from the Philippines
✅ Unclickable links: On the off chance it actually was the USPS, they’d send a link you can click without basically having to solve a riddle
✅ Sketchy phone number: Pretty sure the USPS isn’t sending out texts from the Philippines
✅ Unclickable links: On the off chance it actually was the USPS, they’d send a link you can click without basically having to solve a riddle
April 1, 2025 at 6:19 PM
Things you might spot in a #smishing text ⬇️
✅ Sketchy phone number: Pretty sure the USPS isn’t sending out texts from the Philippines
✅ Unclickable links: On the off chance it actually was the USPS, they’d send a link you can click without basically having to solve a riddle
✅ Sketchy phone number: Pretty sure the USPS isn’t sending out texts from the Philippines
✅ Unclickable links: On the off chance it actually was the USPS, they’d send a link you can click without basically having to solve a riddle
Do you detect phishing from the endpoint or the cloud? 🎣 If you’re part of our Security Operations Center, the answer’s both. Here’s an example 👇
✅ A proactive, human-led investigation led to our SOC identifying a potentially compromised Microsoft 365 identity
✅ A proactive, human-led investigation led to our SOC identifying a potentially compromised Microsoft 365 identity
March 24, 2025 at 2:39 PM
Do you detect phishing from the endpoint or the cloud? 🎣 If you’re part of our Security Operations Center, the answer’s both. Here’s an example 👇
✅ A proactive, human-led investigation led to our SOC identifying a potentially compromised Microsoft 365 identity
✅ A proactive, human-led investigation led to our SOC identifying a potentially compromised Microsoft 365 identity
A threat actor slid into a network through exposed virtual network computing (VNC). Here’s what happened 👇
✅ They deployed C:\\Users\\<redacted>\\Music\\setup.msi to install Atera & Splashtop for persistent remote access
✅ They deployed C:\\Users\\<redacted>\\Music\\setup.msi to install Atera & Splashtop for persistent remote access
March 12, 2025 at 6:41 PM
A threat actor slid into a network through exposed virtual network computing (VNC). Here’s what happened 👇
✅ They deployed C:\\Users\\<redacted>\\Music\\setup.msi to install Atera & Splashtop for persistent remote access
✅ They deployed C:\\Users\\<redacted>\\Music\\setup.msi to install Atera & Splashtop for persistent remote access
Here’s an example of VPN compromise 👇
✅ It’s a super common technique we see all the time
✅ Effects businesses of every size
✅ Usually caused by a simple configuration mistake, like an account without MFA enabled
Yet it can often lead to network-wide compromise 😟
✅ It’s a super common technique we see all the time
✅ Effects businesses of every size
✅ Usually caused by a simple configuration mistake, like an account without MFA enabled
Yet it can often lead to network-wide compromise 😟
March 10, 2025 at 5:32 PM
Here’s an example of VPN compromise 👇
✅ It’s a super common technique we see all the time
✅ Effects businesses of every size
✅ Usually caused by a simple configuration mistake, like an account without MFA enabled
Yet it can often lead to network-wide compromise 😟
✅ It’s a super common technique we see all the time
✅ Effects businesses of every size
✅ Usually caused by a simple configuration mistake, like an account without MFA enabled
Yet it can often lead to network-wide compromise 😟
Our SOC spotted a food wholesale business under duress when a threat actor was attempting to brute force an RDP server from a malicious IP address.
Here’s what went down👇
Here’s what went down👇
March 4, 2025 at 7:51 PM
Our SOC spotted a food wholesale business under duress when a threat actor was attempting to brute force an RDP server from a malicious IP address.
Here’s what went down👇
Here’s what went down👇
Let’s keep it real: Any service you expose to the internet is fair game for attackers. They’ll target anything to get access into your environment 👇
🎯 Web applications
🎯 #VPN devices
🎯 Remote desktop gateway
Here’s how to secure exposed services and wreck a hacker’s day 💪
🎯 Web applications
🎯 #VPN devices
🎯 Remote desktop gateway
Here’s how to secure exposed services and wreck a hacker’s day 💪
February 25, 2025 at 6:58 PM
Let’s keep it real: Any service you expose to the internet is fair game for attackers. They’ll target anything to get access into your environment 👇
🎯 Web applications
🎯 #VPN devices
🎯 Remote desktop gateway
Here’s how to secure exposed services and wreck a hacker’s day 💪
🎯 Web applications
🎯 #VPN devices
🎯 Remote desktop gateway
Here’s how to secure exposed services and wreck a hacker’s day 💪
A ransomware actor compromised a sport club’s network 🏌️
Here’s what went down 👇
✅ They prepared to launch ransomware by deleting volume shadow copies
✅ Attempted to frustrate defenders by clearing the logs and neutralizing defenses
Here’s what went down 👇
✅ They prepared to launch ransomware by deleting volume shadow copies
✅ Attempted to frustrate defenders by clearing the logs and neutralizing defenses
February 20, 2025 at 5:05 PM
A ransomware actor compromised a sport club’s network 🏌️
Here’s what went down 👇
✅ They prepared to launch ransomware by deleting volume shadow copies
✅ Attempted to frustrate defenders by clearing the logs and neutralizing defenses
Here’s what went down 👇
✅ They prepared to launch ransomware by deleting volume shadow copies
✅ Attempted to frustrate defenders by clearing the logs and neutralizing defenses
Threat actors target every level of government 👇
Someone convinced a user via email to run and install tools that gave them malicious remote access to an important workstation at a County Government facility. The threat actor then:
Someone convinced a user via email to run and install tools that gave them malicious remote access to an important workstation at a County Government facility. The threat actor then:
February 17, 2025 at 3:29 PM
Threat actors target every level of government 👇
Someone convinced a user via email to run and install tools that gave them malicious remote access to an important workstation at a County Government facility. The threat actor then:
Someone convinced a user via email to run and install tools that gave them malicious remote access to an important workstation at a County Government facility. The threat actor then:
If you administer at least one Microsoft 365 tenant, you might find some surprising results if you audit your #OAuth applications 👀
Statistically speaking, there’s a good chance your tenant is infected with a rogue app that could be malicious 😱
Statistically speaking, there’s a good chance your tenant is infected with a rogue app that could be malicious 😱
February 13, 2025 at 5:24 PM
If you administer at least one Microsoft 365 tenant, you might find some surprising results if you audit your #OAuth applications 👀
Statistically speaking, there’s a good chance your tenant is infected with a rogue app that could be malicious 😱
Statistically speaking, there’s a good chance your tenant is infected with a rogue app that could be malicious 😱
Straight from the 2025 Cyber Threat Report
It’s no longer just clicking on sketchy links you need to be aware of. In 2024:
29% of 🐟 attacks involved e-signature impersonation tactics
24% of 🐠 attacks involved malicious image-based content
8% of 🐡 attacks involved embedding malicious QR codes
It’s no longer just clicking on sketchy links you need to be aware of. In 2024:
29% of 🐟 attacks involved e-signature impersonation tactics
24% of 🐠 attacks involved malicious image-based content
8% of 🐡 attacks involved embedding malicious QR codes
February 12, 2025 at 10:02 PM
Straight from the 2025 Cyber Threat Report
It’s no longer just clicking on sketchy links you need to be aware of. In 2024:
29% of 🐟 attacks involved e-signature impersonation tactics
24% of 🐠 attacks involved malicious image-based content
8% of 🐡 attacks involved embedding malicious QR codes
It’s no longer just clicking on sketchy links you need to be aware of. In 2024:
29% of 🐟 attacks involved e-signature impersonation tactics
24% of 🐠 attacks involved malicious image-based content
8% of 🐡 attacks involved embedding malicious QR codes