The Hidden Danger of Plain-Text Backup Codes
Huntress has published a detailed account of an incident in which attackers, having exploited a vulnerable SonicWall VPN, gained access to the management console and nearly stripped the organization of its defensive capabilities by using backup codes stored in plain text. Events unfolded rapidly: prompt detection of the intrusion helped partially contain the spread of the Akira ransomware and preserved portions of the infrastructure from complete encryption.
During the investigation, the region’s SOC observed a surge of administrative commands deleting shadow copies across numerous hosts, and responders initiated broad host isolation to halt further propagation. On one desktop, an Akira binary named w.exe succeeded in encrypting the local machine, but the swift, large-scale segmentation prevented the malicious payload from activating elsewhere in the network.
A number of user accounts were compromised from internal addresses in the 192.168.x.x range — addresses that went unchallenged because DHCP had assigned them to systems controlled by the attackers after the VPN compromise. This tactic complicates detection because the traffic appears as legitimate internal activity and evades standard endpoint protections.
Further inspection of the domain controller revealed that the adversaries had enumerated and exported certificates from the local store using certutil. Export to PFX includes private keys; when such certificates are used for authentication, their theft enables attackers to impersonate legitimate users or devices and to escalate and broaden access.
While probing administrative resources, the attackers discovered on an engineer’s desktop a file containing Huntress portal backup access codes. These codes serve as a bypass for multifactor authentication and, once compromised, grant full console access without additional verification. After authenticating with the codes, actors from IP 104.238.221[.]69 — previously linked to SonicWall attacks — manually closed active incidents, revoked isolations, and initiated removal of Huntress agents, seeking to blind monitoring and reduce the visibility of their activity.
Huntress analysts were able to replay the intruder’s actions in the portal and documented mass agent removals over the preceding seven days. The incident starkly illustrates the imperative to protect not only primary credentials but also contingency access mechanisms: backup codes stored in plaintext become a single point of failure, permitting MFA bypass, hijacking of privileged accounts, and neutralization of defensive controls.
Mitigation recommendations for similar incidents:
• Never store backup codes or credentials in unencrypted text files or shared folders.
• Use encrypted password managers protected by a strong master passphrase, and disable autofill for critical entries.
• If a password manager is unavailable, keep codes in an encrypted container on external media protected by a passphrase.
• Rotate backup codes regularly when feasible, and monitor authentication logs for unusual sign-ins.
• Extend EDR agent coverage to all attainable endpoints and enforce strict DHCP assignment controls for VPNs.
• Restrict privileges for certificate export and audit all operations involving PFX files.
Huntress stresses that backup codes are not a secondary convenience but a direct vector to bypass multifactor protections and must be guarded with the same rigor as passwords.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
