![Rewterz](https://www.rewterz.com/wp-content/uploads/2023/01/News.jpg)
![Rewterz](https://www.rewterz.com/wp-content/uploads/2023/01/News.jpg)
LokiBot Malware – Active IOCs
May 22, 2024![Rewterz](https://www.rewterz.com/wp-content/uploads/2023/01/News.jpg)
Every Major Cloud Provider Impacted by Critical Fluent Bit Vulnerability
May 22, 2024![Rewterz](https://www.rewterz.com/wp-content/uploads/2023/01/News.jpg)
LokiBot Malware – Active IOCs
May 22, 2024![Rewterz](https://www.rewterz.com/wp-content/uploads/2023/01/News.jpg)
Every Major Cloud Provider Impacted by Critical Fluent Bit Vulnerability
May 22, 2024Severity
High
Analysis Summary
The Akira ransomware group, active since March 2023, has demonstrated a sophisticated attack methodology that underscores the importance of robust cybersecurity practices. Recently, they employed a novel privilege escalation technique to infiltrate a virtual environment and steal the NTDS.dit file.
This critical file housed on domain controllers contains domain user accounts and passwords, and its theft allowed the attackers to escalate privileges facilitating lateral movement and accelerating their ransomware deployment. In this specific incident, the attackers targeted a vulnerable virtual environment using an unpatched single-factor VPN to breach an agricultural company's network.
Once inside, they leveraged a known remote code execution (RCE) vulnerability (CVE-2021-21972) in the VMware vCenter server. This vulnerability allowed them to upload a malicious JSP file "healthcheck_beat.jsp," which contained a web shell script enabling a reverse shell connection. Through this connection, Akira gained full remote access, laying the groundwork for further exploitation.
![](https://www.rewterz.com/wp-content/uploads/2024/05/akira-ransomware.png)
With access to the VMware vCenter server, Akira used stolen administrator credentials to create a new virtual machine on the ESXi hypervisor. This tactic provided a stealthy environment where they could launch additional attacks while evading detection by conventional security tools.
The attackers then targeted the Active Directory database by shutting down the domain controller's VM, copying the VMDK files to another VM, and extracting the NTDS.dit and SYSTEM hive files. The SYSTEM hive file provided the decryption key for the password hashes stored in NTDS.dit which Akira used to crack passwords or employ pass-the-hash techniques, rapidly escalating privileges to a domain administrator account.
The forensic investigation conducted by researchers revealed that Akira's attack chain was meticulously planned and executed. Within six hours, the attackers had moved laterally across the network compromising additional systems. They deployed the ransomware by exploiting a legitimate backup client process, beremote.exe, to deliver the ransomware binary to servers.
This method effectively bypassed security defenses because the backup client was a trusted process within the system’s environment. Unlike typical ransomware attacks that aim to destroy backups, Akira leveraged remote backups to ensure the deployment of their ransomware, highlighting a strategic shift in attack methodologies.
The Akira ransomware group's techniques are similar to those used by advanced persistent threat groups like the China-backed UTA0178, employing advanced methods to bypass security measures, escalate privileges, and move laterally within a network. Their ability to exploit unpatched vulnerabilities and weaknesses in multi-factor authentication emphasizes the need for organizations to adopt stringent cybersecurity measures.
To defend against such sophisticated attacks, organizations must implement robust patch management systems, enforce multi-factor authentication, and conduct regular security assessments. These measures are crucial to preventing attackers from gaining a foothold and rapidly spreading through the network.
Impact
- Privilege Escalation
- Code Execution
- Financial Loss
- Sensitive Data Theft
Remediation
- Employ intrusion detection and prevention systems.
- Educate users about phishing and social engineering risks.
- Consider network segmentation and least privilege access controls.
- Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
- Maintain Offline Backups – In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.
- Conduct regular backups of your important data and ensure that these backups are stored offline or in a separate network. This will help protect your data from being compromised by ransomware attacks.
- Deploy advanced threat detection and monitoring solutions to identify potential ransomware activity in real time. Monitor network traffic, system logs, and behavior anomalies to detect and respond to ransomware incidents promptly.