Configuration of IT-Security solutions matter – and sometimes a single parameter can cause big trouble

A WatchGuard customer was compromised when attackers used stolen/brute-forced VPN credentials and logged in via a legacy Firebox-DB account that bypassed MFA; after network scanning and credential theft they exfiltrated files via SMB (uploaded to fastupload.io) and executed Akira ransomware on an unprotected server, leading to encryption but successful recovery from clean backups. The report highlights the attack chain, detection gaps, and recommends disabling legacy authentication, enforcing MFA, enabling brute-force protection, ensuring EPDR on all hosts, segmentation, patching, NDR/MDR monitoring, and HTTPS inspection to prevent similar incidents.