Akira ransomware, a relatively new threat actor that emerged in March 2023, has shown a strategic focus on exploiting Cisco VPN (virtual private network) products as a means to breach corporate networks. This marks a concerning trend in the cyber landscape, particularly given the wide adoption of Cisco VPN solutions across industries for secure remote access.
Sophos first raised alarm in May when they discovered Akira employing compromised Cisco VPN accounts to gain unauthorized access to networks. This method reportedly allows Akira to bypass additional backdoor deployment or the establishment of persistence mechanisms that might otherwise trigger suspicion.
However, the exact method of how Akira acquires these credentials remains somewhat uncertain. An incident responder, noted that due to limited logging in Cisco ASA, it’s unclear whether the ransomware group is brute-forcing the credentials or procuring them from underground markets.
A report from researchers further highlights the possibility that Akira could be exploiting an unknown vulnerability within Cisco VPN software, potentially circumventing authentication even without multi-factor authentication (MFA) in place. Evidence of this attack strategy is supported by findings of Cisco VPN-related traits in leaked data associated with Akira’s extortion efforts.
Furthermore, an analysis revealed that Akira is also making use of the RustDesk open-source remote access tool. This innovative tactic enables the ransomware group to operate stealthily within compromised networks, as RustDesk’s legitimate nature doesn’t raise immediate suspicions. This tool’s cross-platform functionality (compatible with Windows, macOS, and Linux), encrypted peer-to-peer connections, and file transfer support enhance Akira’s operational efficiency.
In addition to VPN exploitation and RustDesk usage, analysis uncovers other techniques employed by Akira, including SQL database manipulation, firewall disabling, enabling Remote Desktop Protocol (RDP), disabling LSA (Local Security Authority) Protection, and deactivating Windows Defender. These actions are typically executed once the attackers establish their presence within the compromised environment and are prepared to advance to the latter stages of their attack.
It’s important to note that while a free decryptor for Akira ransomware was released in late June 2023, the attackers have since updated their encryption mechanisms, rendering the tool effective only against older versions of the ransomware. This emphasizes the rapidly evolving nature of cyber threats and the need for continuous vigilance and adaptation by both security professionals and victims.