""These recovery codes serve as a backup method for bypassing multi-factor authentication (MFA) and regaining account access," Huntress security ops analyst Michael Elford and response analyst Chad Hudson said. "If compromised, they effectively allow an attacker to circumvent MFA entirely, impersonate the legitimate user, and gain full access to the Huntress console, significantly increasing the risk of further compromise or tampering with detection and response capabilities," they added."
"After breaking in via the org's SonicWall VPN, the attacker found a plaintext file containing Huntress recovery codes located on an internal security engineer's desktop. Naturally, the ransomware crew used these codes to access the Huntress portal, and then they started resolving active incident reports and de-isolating hosts, even initiating uninstalls of Huntress agents, prompting Elford to contact the customer and ask why the security engineer's account was closing reports and marking incidents as resolve"
An attacker gained initial access through a SonicWall VPN and discovered plaintext Huntress recovery codes on an internal security engineer's desktop. The attacker used those recovery codes to bypass multi-factor authentication and log into the Huntress console. From there, the attacker resolved incident reports, de-isolated hosts, and initiated uninstalls of Huntress agents. The intruders killed endpoint security tools, stole credentials to impersonate privileged users, maintained persistent access, pivoted to additional platforms, and ultimately enabled ransomware deployment by Akira affiliates. Huntress detected the malicious activity and contacted the customer to investigate anomalous account behavior.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]