Desktop Files Containing Unencrypted Data Reveal Confidential Information, Linking to Akira Ransomware Invasions
In a recent cyber incident, a state-sponsored advanced persistent threat (APT) group, known as 'Salt Typhoon,' has been identified as the perpetrator of a campaign targeting SonicWall VPNs and the Huntress portal. The attack began with an unauthorized access to a SonicWall VPN device, allowing the threat actor to gain initial entry into the system. From there, the attacker was able to access plaintext recovery codes for the Huntress console, effectively granting full access to tamper with detection and response capabilities. The compromised user accounts were accessed from internal IP addresses in the 192.168.x.x range, suggesting that the systems controlled by the attackers were connected to the affected network. Moreover, a known malicious IP address, 104.238.221[.]69, was used to access the Huntress portal using the stolen recovery codes. The group behind Salt Typhoon is believed to be operated by China's Ministry of State Security (MSS), with activities dating back to at least the second quarter of 2025. The campaign quickly spread the Akira ransomware to many victims, but quick containment measures prevented the ransomware from spreading throughout the entire environment. The attackers used a technique that allows them to blend in with legitimate network traffic, bypassing endpoint detection and response solutions. They were also able to export a certificate in PFX format, which includes both the public and private keys, from the personal store of the compromised user. The attacker found Huntress recovery codes saved in a plaintext file on a user's desktop, highlighting the significant security risk posed by storing credentials and recovery codes in plaintext. Organizations are advised to avoid plaintext storage, use a password manager, encrypt offline storage, rotate and monitor recovery codes, and periodically regenerate them. During the attack, the threat actor logged into the client's security portal and attempted to remediate incident reports and uninstall security agents. The attacker also manually closed incident reports and initiated the uninstallation of Huntress agents from compromised systems. The IPs used in this attack were likely assigned via DHCP to systems controlled by the Akira threat actors. The quick response and containment prevented further damage, but the incident serves as a reminder of the importance of cybersecurity best practices.
Read also:
- Navigating the Path to Tech Product Success: Expert Insights from Delasport, a Trailblazer in the Tech Industry
- Online Cyber Assaults May Deter Web Usage Among Younger Generations
- Navigating English for Common Tech and Devices Daily Use
- Enhanced Privacy Technologies in Data Transmission and Internet Infrastructure
