Huntress

Ransomware groups weren’t the only thing that changed in 2024—their tactics did too 👇 In 71% of the ransomware incidents we saw last year, data exfiltration was the top action taken before dropping any malware. For example, check out this incident featuring the BianLian ransomware group: ✅ They dropped a backdoor, then dug through the Domain Admins, Exchange Servers, and Sharepoint-admins groups ✅ We hunted down their method of attempted data exfiltration ✅ Our SOC helped the affected org remove any persistence mechanisms, and advised they disable the compromised user account Ransomware’s not going away any time soon—but it is evolving. To learn about the current state of ransomware and more, get the Huntress 2025 Cyber Threat Report here: https://lnkd.in/g_XQrE-e

🦾 On this National IT Service Provider Day we want to recognize the vital role our incredible IT service providers play! From keeping systems safe, troubleshooting issues before they become disasters, and making sure businesses stay online, IT teams are the backbone of every business. Without their expertise, agility, and patience, our world would come to a grinding halt. Let's make sure our IT pros see how much we appreciate them: drop a comment below and shout out your IT MVPs! ⬇️

Huntress continues to observe in-the-wild exploitation of CVE-2025-30406, a critical vulnerability in Gladinet CentreStack and Triofox ➕Threat actors continue to target this flaw, with 24 different orgs now compromised ➕We observed a number of organizations targeted April 21 in attacks that used several overlapping ping commands We’ll continue giving updates on this exploit as we gather more details: https://lnkd.in/g2KRfiwT

We’re showing up to #RSAC with our SOC, stories, and security solutions built for the threats people actually deal with. Come say hi if you’re into relentless detection, human-led response, and skipping the usual vendor nonsense. Stickers optional. 📍Booth #S-1945 ⚡ Energy: "Let’s fix this.” 🎯 Goal: Real security for real businesses

You’d be amazed how many attacks start with something like a VPN left wide open or an old user account no one remembered to disable. We’ve seen it all: 🦷 A former doctor’s login still active months later 🔑 A brute-forced VPN that gave up Domain Admin 🎭 A “legit-looking” login that turned out to be anything but It’s all basic cyber hygiene. And when it slips, threat actors don’t need zero-days. They'll just walk right in. Messy networks make easy targets. 🎯 We broke down a few attacks from hygiene failures (and how we shut ’em down) here: 👇

Some threats pop up more than others. Here’s what we saw in 2024 👇 🚨24% of incidents we saw involved infostealers 🫥 22% involved malicious scripts 🌐 17% involved malware Read more about the trending threats the Huntress SOC is seeing In The Wild: https://lnkd.in/eycVtsAn

A threat actor brute forced a manufacturer's VPN appliance 🏭 Here’s what happened👇 📌 They successfully compromised one account for initial access 📌 Enumerated the domain with a focus on trust relationships and listing of domain controllers 📌 Then modified the registry and local firewall of the host for more lateral movement via RDP But our SOC swooped in and booted them out before more damage was done. Don’t slack on security hygiene: ➡️ Enable MFA for all externally facing services ➡️ Require strong passwords and enforce time-of-day restrictions—all it takes is one compromised account to gain access

Did you know you can ID phishing activity before a user even clicks? Just look at the browser favicon database files on the endpoint ⬇️ Each browser stores a hash of the favicon tied to visited URLs. When a known Microsoft icon is associated with a clearly malicious domain, we’ve got a strong signal—no need for DNS inspection or decrypting traffic. This lets us see phishing attempts at the browsing stage, pushing detection and response further left than ever💥

Finally got a writeup done for this -- importantes: 1. This affects Triofox as well as CentreStack. The CVE-2025-30406 details don't cover this and there has been little to no public messaging about Triofox being vulnerable too 2. Hax0rz dropping Cobalt Strike & MeshCentral 3. Be wary of "both" web.config files if you mitigate by just changing key values and not a full patch upgrade We've got PowerShell scripts to test and mitigate, Sigma rules to detect and Chainsaw rules for hunting 😊 Full writeup: https://lnkd.in/gHCnGU3M Huntress 

Exposed RDP can lead to anything—even attempted ransomware attacks. Here’s what went down at this manufacturing business👇 ➡️ A suspected ransomware group impaired Windows Defender using registry modifications to exclude *.DLL ➡️ Then with Windows Defender on the fritz they dropped a malicious GoLang DLL payload: rundll32.exe C:\\ProgramData\\HP\\Installer\\Temp\filter.dll,Entry ➡️ The payload and IPv4 are possible BianLian activity, a ransomware group known for raking in payments with data exfiltration and extortion over encryption. Fortunately, our SOC sent them packing before any serious damage was done. Make sure to reinforce your security stack against ransomware👇 ✅ Secure RDP: disable exposed RDP services and enforce MFA ✅ Check Windows Defender modifications: unauthorized changes may be a red flag 🚩 ✅ Tune into threat intelligence: stay ahead of TTPs so you disrupt threats quicker