Ransomware Hackers Exploit Misconfigured EDR to Disable Security
▼ Summary
– Ransomware attackers are highly adaptive and exploit any mistakes made by target organizations.
– Akira ransomware affiliates have been using a known vulnerability (CVE-2024-40766) in SonicWall firewalls, often due to organizations failing to reset credentials after upgrades.
– Attackers use a mix of external tools, built-in Windows utilities, and persistence mechanisms to carry out intrusions and disable security measures.
– A critical error occurred when a security engineer stored Huntress recovery codes in plain text, allowing attackers to bypass MFA and tamper with the security console.
– Organizations should store recovery codes securely, regenerate them periodically, and monitor for unusual logins to prevent such breaches.
Modern ransomware groups demonstrate a chilling level of adaptability, exploiting even the smallest security oversights to disable critical defenses and maximize damage. Recent investigations into the Akira ransomware campaign reveal how attackers systematically bypass multi-factor authentication and dismantle endpoint detection and response (EDR) systems by capitalizing on human error and misconfigurations.
Security firms Arctic Wolf and Huntress initially raised alarms in early August 2025 regarding potential zero-day exploitation involving SonicWall firewalls. However, SonicWall clarified that attackers were actually leveraging CVE-2024-40766, a vulnerability patched the previous year. The issue arose when organizations upgraded from Gen 6 to Gen 7 firewalls without resetting local user credentials that had already been compromised.
Huntress researchers observed that Akira affiliates employed a varied toolkit, ranging from common utilities like AdvancedIPScanner and WinRAR to living-off-the-land binaries (LOLBins) and remote management tools such as AnyDesk. Attackers also abused legitimate Windows drivers, cleared event logs, and used built-in commands like Set-MpPreference and netsh.exe to disable Microsoft Defender and local firewalls.
A critical turning point in these attacks involved the exploitation of poorly stored recovery codes. In one instance, a security engineer had saved Huntress recovery codes in a plaintext file with an obvious name. These codes, intended as a multi-factor authentication (MFA) backup, became a master key for attackers. By accessing the Huntress console, they closed active incidents, reconnected isolated infected systems, and attempted to remove EDR agents from compromised endpoints.
Analysts Michael Elford and Chad Hudson emphasized that recovery codes must be guarded with the same rigor as privileged passwords. Storing credentials in plaintext is indefensible; instead, organizations should use encrypted password managers with strong passphrases or keep them in password-protected files on encrypted drives. Regularly regenerating recovery codes and monitoring login activity for anomalies are also strongly recommended.
This incident underscores a sobering reality: ransomware actors don’t always need sophisticated exploits when simple misconfigurations and procedural failures provide a direct path into the heart of an organization’s security infrastructure.
(Source: HelpNet Security)
