The Dangers of Storing Unencrypted Passwords

Description

A threat actor exploited a SonicWall VPN vulnerability to gain initial access to an organization's network. The attacker discovered plaintext Huntress recovery codes on a user's desktop, allowing them to bypass MFA and access the Huntress portal. They then proceeded to close active incident reports and uninstall Huntress agents from compromised systems. This incident highlights the critical importance of securely storing credentials and recovery codes. The attacker also exported certificates from the domain controller, potentially for further privilege escalation or persistence. The compromise was detected by Huntress' Security Operations Center, which initiated a mass isolation response to contain the threat. This case emphasizes the need for proper credential management and the risks associated with storing sensitive information in easily accessible plaintext files.