Huntress Threat Advisory: The Dangers of Storing Unencrypted Passwords
Summary:
Huntress’s Security Operations Center (SOC) responded to an Akira ransomware attack after detecting several administrative users executing commands to delete shadow volume copies across multiple hosts within an organization. In response, the SOC team isolated the systems to prevent the entire network from being encrypted. Initial access was achieved through the exploitation of a vulnerable SonicWall VPN device. From here, the actors proceeded to enumerate administrative shares from the domain controller in search of sensitive data. To their surprise, the actors came across Huntress recovery codes stored within a plaintext file on an internal system.
“These recovery codes serve as a backup method for bypassing multi-factor authentication (MFA) and regaining account access. If compromised, they effectively allow an attacker to circumvent MFA entirely, impersonate the legitimate user, and gain full access to the Huntress console, significantly increasing the risk of further compromise or tampering with detection and response capabilities,” notes Huntress in its blog post.
The actors were then observed using the recovery codes to bypass MFA and access Huntress’s client security portal. Once inside, the threat actors started to resolve active incident reports, to suppress visibility and hinder the organization’s response. The actors also attempted to uninstall Huntress agents from compromised systems to remove endpoint protection.
Security Officer Comments:
The latest incident serves as a reminder of the risks associated with improperly storing credentials and recovery codes. In this case, Huntress recovery codes were found in plaintext on a security engineer’s desktop. This single point of failure enabled the actors to bypass MFA, impersonate a privileged user, and effectively disable security defenses.
Suggested Corrections:
Organizations should treat recovery codes with the same sensitivity as privileged account passwords. Here are some recommended practices for securing recovery codes and credentials.
https://www.huntress.com/blog/dangers-of-storing-unencrypted-passwords
Huntress’s Security Operations Center (SOC) responded to an Akira ransomware attack after detecting several administrative users executing commands to delete shadow volume copies across multiple hosts within an organization. In response, the SOC team isolated the systems to prevent the entire network from being encrypted. Initial access was achieved through the exploitation of a vulnerable SonicWall VPN device. From here, the actors proceeded to enumerate administrative shares from the domain controller in search of sensitive data. To their surprise, the actors came across Huntress recovery codes stored within a plaintext file on an internal system.
“These recovery codes serve as a backup method for bypassing multi-factor authentication (MFA) and regaining account access. If compromised, they effectively allow an attacker to circumvent MFA entirely, impersonate the legitimate user, and gain full access to the Huntress console, significantly increasing the risk of further compromise or tampering with detection and response capabilities,” notes Huntress in its blog post.
The actors were then observed using the recovery codes to bypass MFA and access Huntress’s client security portal. Once inside, the threat actors started to resolve active incident reports, to suppress visibility and hinder the organization’s response. The actors also attempted to uninstall Huntress agents from compromised systems to remove endpoint protection.
Security Officer Comments:
The latest incident serves as a reminder of the risks associated with improperly storing credentials and recovery codes. In this case, Huntress recovery codes were found in plaintext on a security engineer’s desktop. This single point of failure enabled the actors to bypass MFA, impersonate a privileged user, and effectively disable security defenses.
Suggested Corrections:
Organizations should treat recovery codes with the same sensitivity as privileged account passwords. Here are some recommended practices for securing recovery codes and credentials.
- Avoid plaintext storage: Don’t save recovery codes in unprotected text files, shared drives, or unsecured folders.
- Use a password manager: Store recovery codes and credentials in an encrypted password manager with a strong passphrase (and without autofill).
- Encrypt offline storage: If you're unable to use digital password managers, store codes in an encrypted, password-protected file on an encrypted USB drive or hard disk.
- Rotate and monitor: Periodically regenerate recovery codes if available and monitor login access for unusual logins.
https://www.huntress.com/blog/dangers-of-storing-unencrypted-passwords