Rewterz Threat Update – Akira Ransomware Exploits Cisco VPNs For Corporate Breaches

Severity

High

Analysis Summary

Akira ransomware, a relatively new threat actor that emerged in March 2023, has shown a strategic focus on exploiting Cisco VPN (virtual private network) products as a means to breach corporate networks. This marks a concerning trend in the cyber landscape, particularly given the wide adoption of Cisco VPN solutions across industries for secure remote access.

Sophos first raised alarm in May when they discovered Akira employing compromised Cisco VPN accounts to gain unauthorized access to networks. This method reportedly allows Akira to bypass additional backdoor deployment or the establishment of persistence mechanisms that might otherwise trigger suspicion.

However, the exact method of how Akira acquires these credentials remains somewhat uncertain. An incident responder, noted that due to limited logging in Cisco ASA, it’s unclear whether the ransomware group is brute-forcing the credentials or procuring them from underground markets.

A report from researchers further highlights the possibility that Akira could be exploiting an unknown vulnerability within Cisco VPN software, potentially circumventing authentication even without multi-factor authentication (MFA) in place. Evidence of this attack strategy is supported by findings of Cisco VPN-related traits in leaked data associated with Akira’s extortion efforts.

Furthermore, an analysis revealed that Akira is also making use of the RustDesk open-source remote access tool. This innovative tactic enables the ransomware group to operate stealthily within compromised networks, as RustDesk’s legitimate nature doesn’t raise immediate suspicions. This tool’s cross-platform functionality (compatible with Windows, macOS, and Linux), encrypted peer-to-peer connections, and file transfer support enhance Akira’s operational efficiency.

In addition to VPN exploitation and RustDesk usage, analysis uncovers other techniques employed by Akira, including SQL database manipulation, firewall disabling, enabling Remote Desktop Protocol (RDP), disabling LSA (Local Security Authority) Protection, and deactivating Windows Defender. These actions are typically executed once the attackers establish their presence within the compromised environment and are prepared to advance to the latter stages of their attack.

It’s important to note that while a free decryptor for Akira ransomware was released in late June 2023, the attackers have since updated their encryption mechanisms, rendering the tool effective only against older versions of the ransomware. This emphasizes the rapidly evolving nature of cyber threats and the need for continuous vigilance and adaptation by both security professionals and victims.

Impact

• Sensitive Information Theft
• File Encryption
• Reputational Damage
• Financial loss

Remediation

• Implement Multi-Factor Authentication (MFA) for Cisco VPN accounts.
• Regularly update and patch Cisco VPN software.
• Monitor and analyze VPN login activity for unusual behavior.
• Employ intrusion detection and prevention systems.
• Educate users about phishing and social engineering risks.
• Consider network segmentation and least privilege access controls.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Maintain Offline Backups – In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.
• Conduct regular backups of your important data and ensure that these backups are stored offline or in a separate network. This will help protect your data from being compromised by ransomware attacks.
• Deploy advanced threat detection and monitoring solutions to identify potential ransomware activity in real-time. Monitor network traffic, system logs, and behavior anomalies to detect and respond to ransomware incidents promptly.