Author | Lightnews

Huntress @huntress.com · May 13

🛡️ Defensive Actions:
👉 Deploy a SIEM and detect on it– Catch brute force attempts before successful access.
👉 Enable MFA on VPN – Stop compromised credentials from granting access.

Huntress @huntress.com · May 13

Key Takeaways:
👉 SIEM Would Have Stopped This Early – brute force detections are only in the SIEM, not the EDR.
👉 EDR Detected the threat actor on their Windows-based attack phase – The 18 -minute gap gave attackers time to act.

1

Huntress @huntress.com · May 13

🕐 01:03:29 UTC – EDR detects Credential theft
➡️ reg save hklm\system system
➡️ C:\Users\<redacted>\AppData\Local\Temp\lazagne.exe all

🕐 01:11:10 UTC – Huntress neutralises the intrusion

1

Huntress @huntress.com · May 13

Timeline of the Attack:
🕛 00:45:43 UTC – VPN Compromise
➡️ A brute-force attack led to initial access. This was discovered through retrospective forensic analysis
➡️ Huntress' SIEM would have caught this had it of been deployed in the network

1

Huntress @huntress.com · May 13

A construction company recently suffered a VPN brute-force attack, but didn't have SIEM monitoring!

The absence of a SIEM led to a 18-minute gap, giving the attacker enough time to attempt to steal credentials - but fortunately the Huntress EDR shut it down.

1 1

Huntress @huntress.com · May 8

These behaviours echo Makop ransomware, and they're often paired with attempts to gain long-term footholds via remote access tools.

We have observed these tactics in previous incidents and were able to catch and neutralize the threat to this IT org before it could wreak havoc.

Huntress @huntress.com · May 8

🔥 RDP Enabled for Further Access: Modified the firewall to reopen RDP using CLI commands.

If you see renamed remote access binaries or odd PsExec usage, you may be facing more than a nuisance script kiddie.

1

Huntress @huntress.com · May 8

🔑 Followed up with brute-force credential attacks tied to known Makop tooling.
🚀 Lateral Movement & Persistence: Deployed a renamed Mesh Agent via PsExec.
🔍 Attempted to disguise their remote access tool as a benign binary (wvspbind.exe).

1

Huntress @huntress.com · May 8

Our SOC tackled an attempted ransomware intrusion tied to Makop ransomware tactics. Here’s what went down 👇

🎯 Initial Entry Point: Brute-forced an exposed RDP service (don’t skip reviewing your external perimeters!).
🗺️ Enumeration & Credential Targeting: Ran a network scan using netscan.exe.

1

Huntress @huntress.com · May 7

🚨Samsung MagicINFO 9 Server (v21.1050.0) is still vulnerable to a publicly available PoC.

We’ve observed active exploitation in the wild. Ensure your server is not internet-facing until a proper fix is available.

Full details + mitigation steps ➡️ bit.ly/44nkzhL

CyberRaiju @jaiminton.com · May 7

I've confirmed Samsung's MagicINFO 21.1050 is VULNERABLE to the publicly reported POC in the blog below.

ssd-disclosure.com/ssd-advisory...

The media is reporting this as CVE-2024-7399, but if it is then the patch is incomplete. There is currently NO PATCH AVAILABLE!

1 2

Huntress @huntress.com · May 6

💡 Key lessons for IT pros:
🎯 Always place exposed RDP behind a VPN and enable MFA
🎯 Enforce strong passwords across all user accounts
🎯 Disable unused accounts that haven’t been touched for 30+ days

Huntress @huntress.com · May 6

At this point, Defender triggered alerts for ransomware deployment and Managed EDR powered by our expert SOC, swiftly isolated the network to stop lateral movement and prevent further encryption.

1

Huntress @huntress.com · May 6

The bad guys authenticated using a suspicious IP and workstation name. But as you check out below, they began to stage files in the “Music” directory on the host.

Moving quickly, they pivoted to deleting shadow copies to prevent recovery after encryption.

1

Huntress @huntress.com · May 6

We’ve shared many stories about exposed RDP without MFA. Why? Because it’s a common AF, threat actors waste no time exploiting it.

What makes this SOC Story from a dental facility stand out: in under 30 minutes, the attack went from initial access to attempted ransomware deployment.

1

Huntress @huntress.com · May 5

When notorious infostealer “Celestial Stealer” spots specific names, it shuts down, and one of those belongs to one of our own - @jaiminton.com.

Wanna use Celestial Stealer to hack a business protected by Huntress? You're a daisy if you do.

Huntress @huntress.com · May 5

[email protected] is a modern-day Doc Holliday. A lawman so feared that threat actors flee at the mere mention of his name…

Introducing Celestial Stealer, a notorious infostealer with a surprising connection to Huntress.

1

Huntress @huntress.com · Apr 30

How can you avoid incidents like these? 🔽

➡️ Enable MFA on all VPN logins (no exceptions).
➡️ Use IP restrictions to block unused locations.
➡️ Monitor and centralize VPN telemetry.
➡️ Commit to strong password policies.

Huntress @huntress.com · Apr 30

With SIEM and EDR in place, our SOC acted fast.

By combining Active Directory and VPN telemetry, we tracked the compromised account and launched network-wide isolation, shutting down lateral movement and blocking potential ransomware.

1

Huntress @huntress.com · Apr 30

✅ The attacker used a compromised VPN account (no MFA) to log in with a malicious device.
✅ Explored the network, hid findings in a shady folder, & dug through browser cookies for auth info.
✅ Files were staged on the network file server, ready for exfiltration or encryption.

1

Huntress @huntress.com · Apr 30

🐶 A vulnerability left an animal care facility wide open, and an attacker didn’t hesitate to pounce. Here’s how it unfolded 👇

1

Reposted by Huntress

Lindsey O’Donnell Welch @lindseyodwelch.bsky.social · Apr 23

Some good takeaways from @huntress.com’s recent Tradecraft Tuesday ft. Patrick Wardle:
-The impact of Apple bringing TCC events to Endpoint Security
-#Mac malware persistence techniques vs BTM
-Security alert inundation for #macOS users
Catch up here⤵️
www.huntress.com/blog/say-hel...

Say Hello to Mac Malware | Huntress

In this month’s Tradecraft Tuesday, we talked about how threat actors are finetuning their macOS malware in order to maintain persistent access and avoid detection by Apple’s security features.

www.huntress.com

3 2

Huntress @huntress.com · Apr 22

➕Threat actors continue to target this flaw with 24 different orgs now compromised
➕We observed several organizations targeted on April 21 in attacks that used several overlapping ping commands

We’ll continue giving updates on this exploit as we gather more details: www.huntress.com/blog/cve-202...

CVE-2025-30406 - Critical Gladinet CentreStack & Triofox Vulnerability Exploited In The Wild | Huntress

Huntress has observed in the wild exploitation against CVE-2025-30406, a weakness due to hardcoded cryptographic keys.

www.huntress.com

Huntress @huntress.com · Apr 22

Huntress continues to observe in-the-wild exploitation of CVE-2025-30406, a critical vulnerability in Gladinet CentreStack and Triofox

1 2 1

Huntress @huntress.com · Apr 17

But our SOC swooped in and booted them out before more damage was done.

Don’t slack on security hygiene:
➡️ Enable MFA for all externally facing services
➡️ Require strong passwords and enforce time-of-day restrictions—all it takes is one compromised account to gain access

Huntress @huntress.com · Apr 17

A threat actor brute forced a manufacturer's VPN appliance 🏭 Here’s what happened👇

📌 Successfully compromised one account for initial access
📌 Enumerated the domain, focusing on trust relationships and domain controllers
📌 Modified the registry and local firewall to enable lateral RDP movement

1