Huntress

The 2025 Verizon Business #DBIR is live and we are proud to contribute real-world threat data (redacted, anonymized, and customer-safe of course) to help represent all businesses, not just the 1%. It’s a huge milestone for visibility and we’re stoked to stand alongside other major contributors pushing for better security awareness across the board. Give the report a look, it’s packed with insights (and terrific footnotes!) from the front lines of cybersecurity: https://lnkd.in/geaXuxYy

Got a text about unpaid tolls? It's probably a scam. Our Senior Product Researcher (and the evil genius behind Huntress' Managed Security Awareness Training simulated demos and phishing simulations), Truman Kain is posting short, sweet, and easy-to-understand videos daily to help people spot scams fast. Give him a follow, pay your tolls directly on the official site, and generally ignore most texts asking for 💸

Ransomware groups weren’t the only thing that changed in 2024—their tactics did too 👇 In 71% of the ransomware incidents we saw last year, data exfiltration was the top action taken before dropping any malware. For example, check out this incident featuring the BianLian ransomware group: ✅ They dropped a backdoor, then dug through the Domain Admins, Exchange Servers, and Sharepoint-admins groups ✅ We hunted down their method of attempted data exfiltration ✅ Our SOC helped the affected org remove any persistence mechanisms, and advised they disable the compromised user account Ransomware’s not going away any time soon—but it is evolving. To learn about the current state of ransomware and more, get the Huntress 2025 Cyber Threat Report here: https://lnkd.in/g_XQrE-e

🦾 On this National IT Service Provider Day we want to recognize the vital role our incredible IT service providers play! From keeping systems safe, troubleshooting issues before they become disasters, and making sure businesses stay online, IT teams are the backbone of every business. Without their expertise, agility, and patience, our world would come to a grinding halt. Let's make sure our IT pros see how much we appreciate them: drop a comment below and shout out your IT MVPs! ⬇️

Huntress continues to observe in-the-wild exploitation of CVE-2025-30406, a critical vulnerability in Gladinet CentreStack and Triofox ➕Threat actors continue to target this flaw, with 24 different orgs now compromised ➕We observed a number of organizations targeted April 21 in attacks that used several overlapping ping commands We’ll continue giving updates on this exploit as we gather more details: https://lnkd.in/g2KRfiwT

We’re showing up to #RSAC with our SOC, stories, and security solutions built for the threats people actually deal with. Come say hi if you’re into relentless detection, human-led response, and skipping the usual vendor nonsense. Stickers optional. 📍Booth #S-1945 ⚡ Energy: "Let’s fix this.” 🎯 Goal: Real security for real businesses

You’d be amazed how many attacks start with something like a VPN left wide open or an old user account no one remembered to disable. We’ve seen it all: 🦷 A former doctor’s login still active months later 🔑 A brute-forced VPN that gave up Domain Admin 🎭 A “legit-looking” login that turned out to be anything but It’s all basic cyber hygiene. And when it slips, threat actors don’t need zero-days. They'll just walk right in. Messy networks make easy targets. 🎯 We broke down a few attacks from hygiene failures (and how we shut ’em down) here: 👇

Some threats pop up more than others. Here’s what we saw in 2024 👇 🚨24% of incidents we saw involved infostealers 🫥 22% involved malicious scripts 🌐 17% involved malware Read more about the trending threats the Huntress SOC is seeing In The Wild: https://lnkd.in/eycVtsAn

A threat actor brute forced a manufacturer's VPN appliance 🏭 Here’s what happened👇 📌 They successfully compromised one account for initial access 📌 Enumerated the domain with a focus on trust relationships and listing of domain controllers 📌 Then modified the registry and local firewall of the host for more lateral movement via RDP But our SOC swooped in and booted them out before more damage was done. Don’t slack on security hygiene: ➡️ Enable MFA for all externally facing services ➡️ Require strong passwords and enforce time-of-day restrictions—all it takes is one compromised account to gain access

Did you know you can ID phishing activity before a user even clicks? Just look at the browser favicon database files on the endpoint ⬇️ Each browser stores a hash of the favicon tied to visited URLs. When a known Microsoft icon is associated with a clearly malicious domain, we’ve got a strong signal—no need for DNS inspection or decrypting traffic. This lets us see phishing attempts at the browsing stage, pushing detection and response further left than ever💥