In a recent cybersecurity incident, attackers exploited a plaintext file containing sensitive recovery codes to escalate their access within an organization’s network, leading to the deployment of Akira ransomware. This case underscores the critical risks associated with storing confidential information in unprotected formats.
Initial Breach via SonicWall VPN
The intrusion began when threat actors gained access through a compromised SonicWall VPN device. Once inside, they discovered a plaintext file on a user’s desktop labeled `Huntress_recovery_codes-
Detection and Containment Efforts
The Huntress Security Operations Center (SOC) in the Asia-Pacific region detected unusual behavior when multiple administrative accounts executed commands to delete shadow copies across several hosts. Recognizing the potential threat, analysts initiated a mass isolation of systems to prevent further damage.
Further investigation revealed that the Akira ransomware binary, `w.exe`, had been executed from a user’s desktop, resulting in the encryption of that workstation. Prompt containment measures successfully prevented the ransomware from spreading throughout the entire network.
Attackers’ Tactics and Techniques
Event log analysis indicated that the compromised user accounts were accessed from internal IP addresses within the 192.168.x.x range. These addresses were likely assigned via DHCP to systems controlled by the attackers after they breached the SonicWall VPN. By using internal IP addresses, the attackers blended in with legitimate network traffic, evading endpoint detection and response (EDR) solutions, as the rogue systems lacked security agents and appeared as trusted internal sources.
During the investigation, analysts observed the attackers executing commands to list and export certificates from the local certificate store on the Domain Controller (DC). Specifically, the command `certutil -store My` was used to enumerate certificates in the personal store, which could contain sensitive keys for authentication, encryption, or signing. The attackers then exported a certificate in PFX format, including both public and private keys. If such a certificate is used for user or device authentication, its compromise could allow attackers to impersonate legitimate users or machines, facilitating credential theft and lateral movement within the network.
The Dangers of Storing Credentials in Plaintext
The discovery of the plaintext file containing recovery codes highlights the significant risks associated with storing sensitive credentials in easily accessible formats. These codes serve as a backup to bypass MFA, and their compromise effectively grants an attacker full access to security consoles, allowing them to tamper with detection and response capabilities.
In this case, the attackers used the stolen recovery codes to access the Huntress portal, where they manually closed incident reports and initiated the uninstallation of Huntress agents from compromised systems to suppress visibility and hinder the response. This sequence of events underscores how improperly stored recovery codes can become a single point of failure, allowing an attacker to bypass MFA and gain privileged access.
Recommendations for Secure Credential Storage
To mitigate the risks associated with storing sensitive credentials in plaintext, organizations should adopt the following best practices:
– Avoid Plaintext Storage: Do not save recovery codes, passwords, or other sensitive information in unprotected text files or on shared drives.
– Use a Password Manager: Store codes and credentials in an encrypted password manager with a strong master password.
– Encrypt Offline Storage: If offline storage is necessary, ensure the file is encrypted and password-protected on an encrypted drive.
– Rotate and Monitor: Periodically regenerate recovery codes and monitor for unusual login activity to detect potential compromises.
Indicators of Compromise
Organizations should be vigilant for the following indicators of compromise associated with this attack:
– Ransomware Executable: `w.exe`
– SHA256 Hash: `6f1192ea8d20d8e94f2b140440bdfc74d95987be7b3ae2098c692fdea42c4a69`
– Attacker IP Address: `104.238.221[.]69`
– Certificate Export File: `cert.pfx`
Conclusion
This incident serves as a stark reminder of the critical importance of secure credential storage and the dangers of storing sensitive information in plaintext. Organizations must implement robust security practices to protect against such vulnerabilities and prevent attackers from exploiting easily accessible credentials to escalate their access and deploy malicious payloads like ransomware.
