Huntress

#Goals #HoldMyBeer #Bet 😉

Screenshot of the Sidekiq dashboard showing nearly 1 billion jobs a day

We’re running nearly 1 billion Sidekiq background jobs a day to power all of the telemetry processing and detections. Can Redis scale with your workload? Here are the receipts.

@mike.contribsys.com where does that rank in your experience?

🛡️ Defensive Actions:
👉 Deploy a SIEM and detect on it– Catch brute force attempts before successful access.
👉 Enable MFA on VPN – Stop compromised credentials from granting access.

Key Takeaways:
👉 SIEM Would Have Stopped This Early – brute force detections are only in the SIEM, not the EDR.
👉 EDR Detected the threat actor on their Windows-based attack phase – The 18 -minute gap gave attackers time to act.

🕐 01:03:29 UTC – EDR detects Credential theft
➡️ reg save hklm\system system
➡️ C:\Users\<redacted>\AppData\Local\Temp\lazagne.exe all

🕐 01:11:10 UTC – Huntress neutralises the intrusion

Timeline of the Attack:
🕛 00:45:43 UTC – VPN Compromise
➡️ A brute-force attack led to initial access. This was discovered through retrospective forensic analysis
➡️ Huntress' SIEM would have caught this had it of been deployed in the network

A construction company recently suffered a VPN brute-force attack, but didn't have SIEM monitoring!

The absence of a SIEM led to a 18-minute gap, giving the attacker enough time to attempt to steal credentials - but fortunately the Huntress EDR shut it down.

These behaviours echo Makop ransomware, and they're often paired with attempts to gain long-term footholds via remote access tools.

We have observed these tactics in previous incidents and were able to catch and neutralize the threat to this IT org before it could wreak havoc.

🔥 RDP Enabled for Further Access: Modified the firewall to reopen RDP using CLI commands.

If you see renamed remote access binaries or odd PsExec usage, you may be facing more than a nuisance script kiddie.

🔑 Followed up with brute-force credential attacks tied to known Makop tooling.
🚀 Lateral Movement & Persistence: Deployed a renamed Mesh Agent via PsExec.
🔍 Attempted to disguise their remote access tool as a benign binary (wvspbind.exe).

Our SOC tackled an attempted ransomware intrusion tied to Makop ransomware tactics. Here’s what went down 👇

🎯 Initial Entry Point: Brute-forced an exposed RDP service (don’t skip reviewing your external perimeters!).
🗺️ Enumeration & Credential Targeting: Ran a network scan using netscan.exe.

🚨Samsung MagicINFO 9 Server (v21.1050.0) is still vulnerable to a publicly available PoC.

We’ve observed active exploitation in the wild. Ensure your server is not internet-facing until a proper fix is available.

Full details + mitigation steps ➡️ bit.ly/44nkzhL

💡 Key lessons for IT pros:
🎯 Always place exposed RDP behind a VPN and enable MFA
🎯 Enforce strong passwords across all user accounts
🎯 Disable unused accounts that haven’t been touched for 30+ days

At this point, Defender triggered alerts for ransomware deployment and Managed EDR powered by our expert SOC, swiftly isolated the network to stop lateral movement and prevent further encryption.

The bad guys authenticated using a suspicious IP and workstation name. But as you check out below, they began to stage files in the “Music” directory on the host.

Moving quickly, they pivoted to deleting shadow copies to prevent recovery after encryption.

We’ve shared many stories about exposed RDP without MFA. Why? Because it’s a common AF, threat actors waste no time exploiting it.

What makes this SOC Story from a dental facility stand out: in under 30 minutes, the attack went from initial access to attempted ransomware deployment.

When notorious infostealer “Celestial Stealer” spots specific names, it shuts down, and one of those belongs to one of our own - @jaiminton.com.

Wanna use Celestial Stealer to hack a business protected by Huntress? You're a daisy if you do.

.@jaiminton.com is a modern-day Doc Holliday. A lawman so feared that threat actors flee at the mere mention of his name…

Introducing Celestial Stealer, a notorious infostealer with a surprising connection to Huntress.

How can you avoid incidents like these? 🔽

➡️ Enable MFA on all VPN logins (no exceptions).
➡️ Use IP restrictions to block unused locations.
➡️ Monitor and centralize VPN telemetry.
➡️ Commit to strong password policies.

With SIEM and EDR in place, our SOC acted fast.

By combining Active Directory and VPN telemetry, we tracked the compromised account and launched network-wide isolation, shutting down lateral movement and blocking potential ransomware.

✅ The attacker used a compromised VPN account (no MFA) to log in with a malicious device.
✅ Explored the network, hid findings in a shady folder, & dug through browser cookies for auth info.
✅ Files were staged on the network file server, ready for exfiltration or encryption.

🐶 A vulnerability left an animal care facility wide open, and an attacker didn’t hesitate to pounce. Here’s how it unfolded 👇

Say Hello to Mac Malware | Huntress In this month’s Tradecraft Tuesday, we talked about how threat actors are finetuning their macOS malware in order to maintain persistent access and avoid detection by Apple’s security features.

Some good takeaways from @huntress.com’s recent Tradecraft Tuesday ft. Patrick Wardle:
-The impact of Apple bringing TCC events to Endpoint Security
-#Mac malware persistence techniques vs BTM
-Security alert inundation for #macOS users
Catch up here⤵️
www.huntress.com/blog/say-hel...

CVE-2025-30406 - Critical Gladinet CentreStack & Triofox Vulnerability Exploited In The Wild | Huntress Huntress has observed in the wild exploitation against CVE-2025-30406, a weakness due to hardcoded cryptographic keys.

➕Threat actors continue to target this flaw with 24 different orgs now compromised
➕We observed several organizations targeted on April 21 in attacks that used several overlapping ping commands

We’ll continue giving updates on this exploit as we gather more details: www.huntress.com/blog/cve-202...

Huntress continues to observe in-the-wild exploitation of CVE-2025-30406, a critical vulnerability in Gladinet CentreStack and Triofox

But our SOC swooped in and booted them out before more damage was done.

Don’t slack on security hygiene:
➡️ Enable MFA for all externally facing services
➡️ Require strong passwords and enforce time-of-day restrictions—all it takes is one compromised account to gain access

A threat actor brute forced a manufacturer's VPN appliance 🏭 Here’s what happened👇

📌 Successfully compromised one account for initial access
📌 Enumerated the domain, focusing on trust relationships and domain controllers
📌 Modified the registry and local firewall to enable lateral RDP movement

Make sure to reinforce your security stack against ransomware👇
✅ Secure RDP: disable exposed RDP services & enforce MFA
✅ Check Windows Defender modifications: unauthorized changes may be a red flag
✅ Tune into threat intel: stay ahead of TTPs so you disrupt threats quicker

➡️ The payload and IPv4 are possible BianLian activity, a ransomware group known for raking in payments with data exfiltration and extortion over encryption.

Fortunately, our SOC sent them packing before any serious damage was done.

➡️ A suspected ransomware group impaired Windows Defender using registry modifications to exclude *.DLL
➡️ Then with Windows Defender on the fritz they dropped a malicious GoLang DLL payload: rundll32.exe C:\\ProgramData\\HP\\Installer\\Temp\filter.dll,Entry