Mounting Evidence Reveals Akira Ransomware Targets Cisco VPNs to Breach Corporate Networks.
There is growing evidence that the Akira ransomware operation is specifically targeting Cisco VPN (virtual private network) products as a means to breach corporate networks, steal data, and encrypt it. Akira ransomware, which was launched in March 2023, recently added a Linux encryptor to target VMware ESXi virtual machines.
Cisco VPN solutions are widely adopted across various industries to provide secure and encrypted data transmission between users and corporate networks, especially for remotely working employees.
Reports suggest that Akira ransomware has been leveraging compromised Cisco VPN accounts, allowing them to breach corporate networks without the need for additional backdoors or persistence mechanisms that could expose them.
Sophos, a cybersecurity company, first noted Akira’s abuse of VPN accounts in May when they reported that the ransomware gang had breached a network by exploiting “VPN access using Single Factor authentication.” However, incident responder ‘Aura’ disclosed further information on Twitter regarding multiple Akira incidents that had used unprotected Cisco VPN accounts without multi-factor authentication.
Aura, in a conversation with BleepingComputer, mentioned that due to the lack of logging in Cisco ASA (Adaptive Security Appliance), it remains unclear whether Akira brute-forced the VPN account credentials or if they purchased them from dark web markets.
A privately shared report from SentinelOne, focusing on the same attack method, presented the possibility of Akira exploiting an unknown vulnerability in Cisco VPN software to bypass authentication in the absence of multi-factor authentication.
SentinelOne’s report also uncovered evidence of Akira’s use of Cisco VPN gateways in leaked data posted on the group’s extortion page. They observed Cisco VPN-related traits in at least eight cases, indicating that this is part of an ongoing attack strategy employed by the ransomware gang.
In addition, SentinelOne analysts discovered that Akira was utilizing the open-source remote access tool called RustDesk to navigate compromised networks. This makes Akira the first known ransomware group to abuse RustDesk. Since RustDesk is a legitimate tool, its presence is unlikely to raise suspicions, providing stealthy remote access to compromised computers.
Other advantages of using RustDesk for Akira include its cross-platform operation on Windows, macOS, and Linux, ensuring a wider range of targets. Additionally, the tool’s encrypted P2P connections make it less likely to be detected by network traffic monitoring tools. Furthermore, RustDesk supports file transfer, which facilitates data exfiltration and streamlines Akira’s toolkit.
SentinelOne also observed other tactics, techniques, and procedures (TTPs) employed by Akira in their recent attacks. These include SQL database access and manipulation, disabling firewalls and enabling RDP (Remote Desktop Protocol), disabling LSA (Local Security Authority) Protection, and disabling Windows Defender. These actions are typically performed after the attackers have established their presence in the targeted environment and are ready to proceed with the final phases of their attack.
In late June 2023, cybersecurity company Avast released a free decryptor for Akira ransomware. However, the threat actors behind Akira have since patched their encryptors, rendering Avast’s tool only effective against older versions.