Tuesday, September 16, 2025
Latest:

Threatshub.org sponsored-Post

The Register

Careless engineer stored recovery codes in plaintext, got whole org pwned

TH Author

Failing to encrypt sensitive data leaves you wide open to attack. During the recent SonicWall attack spree, intruders bypassed multi-factor authentication (MFA) in at least one case, because a user’s recovery codes were left sitting in a plaintext file on their desktop.

Using this access, Akira ransomware affiliates were able to kill victim organizations’ endpoint security tools, and steal credentials to impersonate privileged users and maintain persistent access to the compromised networks – in addition to infecting their computers with ransomware.

This made the attacker’s job extremely easy, and allowed them to compromise an engineer’s credentials and then pivot to at least one other platform used by the victim org.

Huntress, which provides managed security services to small and mid-sized businesses plus managed service providers, spotted this nefarious activity playing out in one of its customers’ environments, and detailed the foul play in a Monday blog.

After breaking in via the org’s SonicWall VPN, the attacker found a plaintext file containing Huntress recovery codes located on an internal security engineer’s desktop. 

“These recovery codes serve as a backup method for bypassing multi-factor authentication (MFA) and regaining account access,” Huntress security ops analyst Michael Elford and response analyst Chad Hudson said.

“If compromised, they effectively allow an attacker to circumvent MFA entirely, impersonate the legitimate user, and gain full access to the Huntress console, significantly increasing the risk of further compromise or tampering with detection and response capabilities,” they added.

Naturally, the ransomware crew used these codes to access the Huntress portal, and then they started resolving active incident reports and de-isolating hosts, even initiating uninstalls of Huntress agents, prompting Elford to contact the customer and ask why the security engineer’s account was closing reports and marking incidents as resolved.

“Huntress Support received confirmation from the partner: the activity attributed to the security engineer account was not performed by their personnel,” the duo wrote. “This revelation confirmed the threat actor had leveraged compromised credentials and recovery codes to access the Huntress portal.”

Closing the alerts allowed the attackers to remain hidden for longer, thus giving them more time to snoop around the compromised environment, and they also attempted to remove the organization’s endpoint security tools.

The takeaway here is that recovery codes and credentials should not be stored in plaintext, and the Huntress analysts recommend using an encrypted password manager with a strong passphrase – and no autofill. If you can’t use a digital password manager, then store these secrets in an encrypted, password-protected file on an encrypted USB drive or hard disk.

And regardless of whether they are stored offline or in a password manager, make sure to rotate these codes every so often and monitor logs for any unusual login activity – even if it appears to come from within the organization, as was the case with this particular incident. ®

READ MORE HERE