Reminds me of when a Hostgator employee told me on reddit that he liked digging through peoples' websites and chatted with me about the stuff I had hosted on my website.
That's potentially different, to be fair. Websites are generally made with the intention of making them public, and unless you're digging through stuff that hasn't been made public, there's nothing wrong with browsing your customers' websites and talking about it. (Of course, maybe that's what the Hostgator employee was doing - in which case, shame on them.)
On the other hand, I'm pretty sure that the person who installed Huntress did not intend to upload any info at all, let alone to have that information made public.
I can't imagine pen testers would be able to work in the EU without being able to access individual workstations without the users' knowledge.
The key difference here is that pen testing, as well as IT testing, is very explicitly scoped out in a legal contract, and part of that is that users have to told to consent to monitoring for relevant business purposes.
What happened in this blogpost is still outside of that scope, obviously. I doubt that Huntress could make the claim that their customer here was clearly told that they would be possibly monitoring their activity in the same way that a "Content to Monitoring" popup for every login on corporate machines does it.
>We are an extension of their security team, which means they trust us with this access
So if <bad actor> in this writeup read your pitch and decided to install your agent to secure their attack machine, it sounds like they "trusted you with this access". You used that access to surveil them, decide that you didn't approve of their illegal activity, and publish it to the internet.
Why should any company "trust you with this access"? If one of your customers is doing what looks to one of your analysts to be cooking their books, do you surveil all of that activity and then make a blog post about them? "Hey everyone here, it's Huntress showing how <company> made the blunder of giving us access to their systems, so we did a little surprise finance audit of them!"
Their product is advertised as "Managed EDR". That usually means they employ a SOC that will review alerts and then triage and orchestrate responses accordingly. The use case here is when your IT manage chooses to deploy this and give them full visibility into your assets because your company wants to effectively outsource security response.
It's a relatively common model, with MDR and MSSP providers doing similar things. I don't see it as much with EDR providers though.
They mention in the write up that they correlated certain indicators with what they had seen in other attacks to be reasonably sure they knew this was an active attacker.
The problem to me is that this is the kind of thing you'd expect to see being done by a state intelligence organization with explicitly defined authorities to carry out surveillance of foreign attackers codified in law somewhere. For a private company to carry out a massive surveillance campaign against a target based on their own determination of the target's identity and to then publish all of that is much more legally questionable to me. It's already often ethically and legally murky enough when the state does it; for a private company to do it seems like they're operating well beyond their legal authority. I'd imagine (or hope I guess) that they have a lawyer who they consulted before this campaign as well as before this publication.
Either way, not a great advertisement for your EDR service to show everyone that you're shoulder surfing your customers' employees and potentially posting all that to the internet if you decide they're doing something wrong.
> The standout red flag was that the unique machine name used by the individual was the same as one that we had tracked in several incidents prior to them installing the agent.
The machine was already known to the company as belonging to a threat actor from previous activity
Yes, but only according to the company's own logs, which were not externally validated. To rephrase, the company thinks this was an active attacker based on logs its own tool generates. It does not discount the possibility that the tool generated erroneous logs or identified the wrong machine(s).
That's not very convincing. They still abused trust placed in them - by an active attacker, granted, but still... This seems like a legally risky move and it doesn't inspire trust in Huntress.
Who's trust? Their job is to hunt down and research threat actors. The information gained from this is used to better protect their enterprise customers.
This gains more trust with their customers and breaking trust with ... threat actors?
Threat intelligence is a thing.in fact there’s entire companies that sell just that. In fact, there’s entire government organizations that do just that.
Sure but that's not what their customer was engaging with them to do. It's not ethical to sell "EDR" services and then use that access to spy on your customers for intelligence purposes.
Having worked in the computer security world for many years and been completely on board with the "it's good to open source attack tools so that everyone knows what can be done", it's still sometimes hard not to feel like a useful idiot when I see attackers operating with big stacks of almost all open source tooling that are now mature and full featured enough to make almost any skid into a decently effective procurer and vendor of stolen information with a bit of effort.
I've been through 2 offensive courses (SANS GPEN and Parrot Labs Offensive Methodology and Analysis) and yeah, that was the take I got even back then (5+ years ago). Everything we used was open source and near-fully functional. There was a lot of knowledge needed on the syntax for some tools, but otherwise it was insane to think how easily these could be used by a motivated person.
For some of them, it makes sense. Metasploit, Cobalt Strike, and similar tools are good because they can be used to give people a good idea of the impact of the vulnerabilities in their system as well as giving them knowledge of the TTPs that attackers use.
But some of these, like Bloodhound are not really telling you much you didn't know. They are tools to make exploiting access, whether authorized or otherwise, easier and more automated. Hell, even in the case of Cobalt Strike, they are doing their best to limit who can obtain it and chasing down rogue copies because used for real attack purposes.
I'm not really saying anything should (or can) be done about this. Just ruminating about it, as after many years in the industry, seeing a list of a mostly open source stack used for every aspect of cybercrime sometimes surprises me at just how good a job we've done of equipping malicious actors. For all the high minded talk of making everyone more secure, a lot of things just seem to be done for a mixture of bragging rights ego and sharing things with each other to make our offensive sec job a bit easier.
"Serverless" refers to the demarcation point in the shared responsibility model. It means there aren't any servers about as much as "cloud hosting" means the data centers are flying.
>That's hilarious given that Reddit is utterly overrun with blatant, low-quality LLM accounts using ChatGPT to post comments and gain karma, and several of the "text stories" on the front page from subs like AITA are blatant AI slop that the users (or other bots?) are eating up.
Check out this post [1] in which the post includes part of the LLM response ("This kind of story involves classic AITA themes: family drama, boundary-setting, and a “big event” setting, which typically generates a lot of engagement and differing opinions.") and almost no commenter points this out. Hilarious if it weren't so bleak.
Over the past two years, I have also seen many similar stories where the majority of users were unable to recognize that these stories were AI-generated.
I fear for the future of democracy if the masses are so easily deceived. Does anyone have any good ideas on how to counteract this?
Using same game engines and physics lead to a generic look-and-feel, even if they do allow for a large amount of creativity and differences.
This _looks_ different, which is awesome!
Even if the atmospheric effects still need some honing, there's a ton of work around lighting to eventually be done, the edgy polys make it look about 20 years old, and it's a bit pixel-y around the edges, this is headed into a spectacular direction!
If my ADD were in charge of this project, here's what I'd add:
- Optional stars / environment - a universal simulation would be unrealistically computationally expensive, but just having stars would be neat. Later, a planet in the horseshoe nebula, or playing spherical versions of recorded or streaming video for AR or making homegrown music videos.
- Ability for others to share datasets - the Earth is f-ing awesome and I can't wait for the Moon! What about a place where users could share different datasets like Arrakis with it's sand dunes and 2 moons or Tatooine with its 3 moons, then maybe they could fly in a heighliner, landspeeder, frigate, or imperial lambda shuttle, or even the jetcar from Buckaroo Bonzai?
- Solar Mayhem - Simulate a crazy atmospheric and orbital space war simulation or arcade-style game with satellites, lasers, plasma / electrical discharges and arcing, dust and nanorobot clouds, cloaking, jamming, ramming, repairs by robots and soldiers in tethered spacesuits, zooming cameras and 2D/3D scanners in different wavelengths, spacefaring naval ships, UAPs and other secret government vehicles, and complex 20th century fantasies of space stations running on nuclear and otherworldly power.
- Eclipse Support - when you add the Moon, doing an eclipse is not just the shadow but you'll need to handle the cool colors on the edges when the moon is covering the Sun.
- Ocean Simulation - Orcas, fish, eels, coral, lobsters, octopi, old ruins, Atlantis with its merpeople, tictacs and other USOs!
- Beautiful water features in Baltic Sea, Yukon Delta, Mississippi River, Lena River, Petermann Glacier, Brunt Ice Shelf, South Georgia Island, Guinea-Bissau, New Caledonia, Patagonian Sea, and the Icelandic and Norwegian fjords.
- Weather simulation with a way to pull in current atmospheric data historically to fly through hurricanes and tornados or simulate tsunamis after earthquakes.
> Using same game engines and physics lead to a generic look-and-feel
Sure but they're talking about using the same game engine, not the same physics engine. I don't think anyone would say Split Fiction looks at all like Oblivion Remastered. Though they both use Unreal Engine 5
That's would certainly be an awesome game, but did you know that your "Solar Mayhem" concept already exists? Children of a Dead Earth - it's probably a bit more austere by virtue of limiting itself to only somewhat-plausibly realistic weapons, mind you.
It was not AI written. I took 18 months to write it. I documented a lot of that on my blog in real time and in LinkedIn. I have posted several drafts of (hopefully) increasing quality publicly.
I get that you might not like my writing, but it is mine.
reply