An extraordinarily advanced and formidable ransomware strain called “Akira” has recently surfaced, posing a significant danger to organisations all around the globe. Akira is now focusing on Cisco VPN devices, which could allow cybercriminals to enter corporate networks. The disclosure has triggered immediate alerts and demands for strengthened cybersecurity protocols.
The emergence of Akira ransomware caught the attention of cybersecurity experts as multiple organizations reported facing highly organized and devastating ransomware attacks. After initial investigations, it became clear that the attacks had a common element: exploiting vulnerabilities in Cisco VPNs.
Akira Ransomware
The first reports about the Akira ransomware can be traced back to March 2023. The ones behind the Akira ransomware have various ways to extort victims. They have a website on the TOR network with a .onion domain. This site publishes a list of victims and any stolen information if the victims don’t pay the ransom. To initiate negotiations, victims should contact the attackers through this TOR-based site using a unique identifier in the ransom message they receive.
Akira focuses on Cisco’s VPNs.
Sophos discovered the first signs of Akira’s misuse of VPN accounts in May. The researchers highlighted that this ransomware group infiltrated a network using “VPN access with Single Factor authentication.”
An incident responder named ‘Aura’ shared more information on Twitter about their response to several Akira incidents. The incidents involved using Cisco VPN accounts that did not have multi-factor authentication.
In a conversation, according to Aura from BleepingComputer, it is still being determined whether Akira obtained the VPN account credentials through brute-forcing or purchasing them on dark web markets because of the absence of logging into Cisco ASA.
SentinelOne has shared a WatchTower report with BleepingComputer. The report focuses on an attack method that suggests Akira could exploit a vulnerability in Cisco VPN software. This vulnerability might allow authentication to be bypassed without using MFA.
Akira uses Cisco VPN gateways, as evidenced by leaked data on their extortion page. It indicates that the ransomware gang is continuously using this attack strategy.
Targeting VPN Implementations without MFA
In general, when it comes to targeting VPNs, the initial phase of the attack involves exploiting vulnerable services or applications. Attackers frequently use the lack of multi-factor authentication (MFA) or well-known vulnerabilities in both MFA and VPN software. Attackers obtain a foothold in a target network and then try to extract credentials using LSASS (Local Security Authority Subsystem Service) dumps. It helps them move around the web and gain higher privileges if necessary.
Additionally, the group has been associated with utilising other tools commonly known as Living-Off-The-Land Binaries (LOLBins) or Commercial Off-The-Shelf (COTS) tools, like PCHunter64. They have also been observed creating minidumps to gather more intelligence or navigate through the target network.
Remote RustDesk access
SentinelOne WatchTower’s analysts discovered that Akira had become the first ransomware group to exploit the RustDesk open-source remote access tool to move through compromised networks.
RustDesk, a legitimate tool, can provide inconspicuous remote access to compromised computers without raising suspicions.
In addition to that, using RustDesk also brings about various other advantages:
- Experience seamless cross-platform operation on Windows, macOS, and Linux, expanding Akira’s reach to its fullest potential.
- P2P connections have encryption, making them less susceptible to detection by network traffic monitoring tools.
- It allows easy file transfer, helps with data exfiltration, and improves Akira’s toolkit.
SentinelOne observed additional attack techniques used by Akira, such as accessing and modifying SQL databases, disabling firewalls and enabling RDP, disabling LSA Protection, and disabling Windows Defender.