I have a lot to be thankful for in 2020 — and it starts with the MSP community.

Thanksgiving 2015: I was a punk with hacking skills but hardly knew SMB security (let alone MSPs). The MSP community had SMB skills but hardly knew security (let alone hacking).

Thanksgiving 2020: I’m still a punk, but my hacking skills have helped educate 10,000+ aspiring MSP teams. The MSP community still knows SMBs, but their security skills are helping protect 100,000+ businesses.

It’s easy to say 2020 was a flop, but I couldn’t be more thankful for the growing community dedicated to…


We are no longer battling against the classic Hollywood depiction of cyber criminals. Hackers are now acting at the same maturity level as leading software vendors — using advanced automation tactics to find their next targets, making it easier to deploy and scale their attacks, and innovating faster than ever. They’re even packaging their skills and services and selling them to the highest bidder on the dark web.

One of the most common targets of phishing and business email compromise are Microsoft/Office 365 credentials. Although most security geeks would focus on the technical wizardry it takes to conduct these attacks…


Update 1/26/2020: MITRE assigned CVE-2020–7984 for this vulnerability.

Update 12:55pm 1/24/2020: SolarWinds has released two hotfixes for the vulnerabilities! You can find these fixes on their support website. According to the documentation these hotfixes disable N-central’s device auto-import feature temporarily. A future release will re-enable the feature.

• 12.1 SP1 HF5: https://community.solarwindsmsp.com/Support/Software-Downloads/MSP-N-Central/MSP-N-central-12-1-SP1-HF5
• 12.2 SP1 HF2: https://community.solarwindsmsp.com/Support/Software-Downloads/MSP-N-Central/MSP-N-central-12-2-SP1-HF2

Update 10:58am 1/24/2020: SolarWinds has published some mitigation instructions to expunge the credentials from the N-central service. This should clear the passwords that attackers are able to extract using the Dumpster Diver vulnerability. As with most mitigations, this brings with it some impact…


We’ve updated each section with additional information we gained from discussions with Bishop Fox and with the ConnectWise Control team. Additionally ConnectWise released a summary matrix of the analyses and their own response.

In computer security, responsible disclosure is a vulnerability disclosure model in which an issue is publicly disclosed only after a period of time that allows for the affected party to patch/resolve the problem in a reasonable amount of time. For most bugs that are not being actively exploited, this period usually lasts 90–120 days. …


This week we had the opportunity to help an MSP partner contain and remediate an Emotet/TrickBot infection that impacted a client with 50+ computers and servers. Considering how quickly TrickBot reinfects systems and drops ransomware, this was the perfect opportunity to kick the tires on our new Assisted Remediation beta feature — which was designed to combat this exact scenario. Keep reading for a play-by-play of how this incident unfolded.

Introducing the Situation

Network Titan’s day started out with a bang when Huntress detected TrickBot on 23 of 55 systems within one of their clients’ networks. This created a separate incident report for…


There’s not a day that goes by where I don’t hear cringe-worthy stories of sales tactics peddling FEAR, UNCERTAINTY, and DOUBT (FUD) to close deals. Within the cybersecurity industry, it’s such a common practice you can find numerous pleas to “cut the crap”. See: Forbes, CRN, Help Net Security and Security Week.

As a technical founder of a product startup, I’m as anti-FUD as it gets. However, the past three years have taught me how education can be a snake-oil free alternative.

Demonstrate what’s actually happening to businesses in your prospects’ demographic and they will determine how it applies to…


Periodically, a large scale cybersecurity issue requires “all hands on deck” from the Huntress Team (see WannaCry, Kaseya Cryptominer, GANDGRAB outbreak). The unfolding ASUS Live Update fiasco also happens to be one of those moments. We’ve created this blog is to provide simple answers to a complex supply chain attack affecting global IT Departments.

Situation Overview

The hardware manufacturer ASUS included an application on all of their Windows devices called Live Update. Between June and November 2018, Hackers compromised ASUS’ automatic updating infrastructure and pushed backdoored updates via the Live Update software. …


Hilarious work by Adam Kofordhttps://twitter.com/apelad/status/814160096074735616

I was recently tagged in a Twitter thread about an obscure DOS feature in relation to auto-launching applications (commonly called persistence in offensive cyber security). Although the topic was addressed before I had a chance to respond, user @ivladdalvi brought up a secondary issue which felt a bit like a challenge:

A Quick History Lesson

For those not familiar, AUTOEXEC.BAT was a file executed by the DOS command processor at startup. Within early Windows NT operating systems, this functionality slightly changed so AUTOEXEC.BAT was parsed at user logon. …


Preventive security products like antivirus have made major strides in their ability to detect malicious behaviors as opposed to weak/static signatures. When implemented properly, these heuristics are capable of discovering even the most cleverly obfuscated routines. But don’t ring the victory bells yet. This cat-and-mouse game is just getting started…

Like all malware related activity, hackers are prepared to “up their ante” when faced with adversity. Take phishing for example. Hackers started attaching .EXE files and naming them something interesting like Taxes.exe. As a response, System Administrators advised users to “never open attachments without familiar icons”. In response, hackers simply…


Every so often, the Huntress ThreatOps Team receives questions from our partners asking for our perspective on IT security and malware related issues. We typically respond with quick/tactical feedback and close the ticket afterwards. However, many of these responses are great lessons to learn from. With that in mind, we proudly present our very first Ask Huntress response.

The Backstory

Today’s request came from a partner looking for feedback on how to defend against a campaign of phishing emails that slipped past their anti-spam solution. …

Kyle Hanslovan

Ethical Hacker. Malware Connoisseur. CEO at @HuntressLabs.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store