Huntress’s attacker surveillance splits infosec community • The Register
Security outfit Huntress has been forced onto the defensive after its latest research – described by senior staff as “hilarious” – split opinion across the cybersecurity community.
Defenders, for the most part, agreed with the vendor’s assessment of the situation, which revolved around an attacker, for whatever reason, installing a trial version of its EDR tool and consequently having their entire activity monitored by the good guys.
One of the best parts was that Huntress’s insights showed the attacker even installed a premium Malwarebytes browser extension in an attempt to stay safe online.
It’s almost a reverse case of an SEO poisoning attack, as Huntress’s logs showed the attacker performed a Google search for “Bitdefender” and downloaded the EDR trial via a sponsored Google link appearing at the top of search results.
What followed was a surveillance campaign from the vendor, tracking the attacker’s activity covering the three months after the attacker installed its EDR, and watching them refine their tradecraft.
The researchers found signs of the attacker – provenance unconfirmed but hinted at – exploring the use of automation, AI, phishing kits, exploit kits, and other malware.
Looking at their extensive use of Google Translate over the three-month period, it became apparent that the attacker appeared to understand Thai, Spanish, and Portuguese.
They would routinely use Translate to convert messages into English, likely for use in phishing campaigns targeting credentials for banking websites.
The vendor said it is rare to be afforded this kind of granular insight into attackers’ machines, and for it to fall into their lap in this fashion was a once-in-a-blue-moon moment.
Full details of the findings can be found on Huntress’s blog about the case, published Spetember 9, but the humor of its publication has not resonated with everyone.
The controversy
Huntress felt compelled to update its research with a statement following the original publication, after certain corners of the cybersecurity community raised ethical concerns.
Horizon3.ai’s CEO, Snehal Antani, posted on X: “That visibility gave defenders unique insights, but it also raises a real question: Should a private company be allowed to monitor an adversary like that, or were they obliged to notify authorities once it crossed from IR into intelligence collection?”
“Is that hack back, or is it deterrence because the attacker is no longer worried about getting caught, but getting burned,” he added, before congratulating Huntress on a “cool read and great work.”
Other infosec watchers called it a “complete invasion of privacy” on the vendor’s part, while others seemed surprised about the amount of data EDR tools such as Huntress’s can access.
Huntress leapt to its own defense later the same day of publication, saying the research methodology echoed that used by all other EDR vendors, and that such tools would always have a high degree of visibility into host systems.
“On the heels of questions around how and why Huntress released this information, we wanted to clarify several important aspects of our investigation,” it stated.
“We have an obligation to 1) research and respond to security threats and investigate malware and 2) educate the broader community about those threats. These dual objectives played into our decision to develop and publish this blog post.”
The vendor went on to say that its researcher happened upon the case while investigating “numerous alerts” that malware was being executed from the attacker’s computer, and they later confirmed the unique machine name was the same one observed in “several incidents” before the attacker made the mistake of downloading the EDR.
“We wanted to serve the broader community by sharing what we learned about the tradecraft that the threat actor was using in this incident,” Huntress stated.
“In deciding what information to publish about this investigation, we carefully considered several factors, like strictly upholding our privacy obligations, as well as disseminating EDR telemetry that specifically reflected threats and behavior that could help defenders.
“Overall, this investigation is a result of what we strive to do best: Transparency, education, and wrecking hackers.” ®
