According to a report by Bleeping Computer, the Akira ransomware has been targeting Cisco VPN products as a means to breach corporate networks, steal data, and encrypt it. The malicious actors behind this ransomware have claimed to have successfully hacked multiple organizations across various industries, including education, finance, and real estate.
Cisco VPN solutions are widely adopted in many industries to ensure secure and encrypted data transmission between users and corporate networks, particularly for remote employees.
It has been reported that Akira leverages compromised Cisco VPN accounts to gain unauthorized access to corporate networks without the need for additional backdoors or persistence mechanisms that could raise suspicion.
Akira Targets Cisco VPNs
In May, Sophos initially discovered Akira’s misuse of VPN accounts. Researchers found that the ransomware group had infiltrated a network by exploiting “VPN access using Single Factor authentication.”
However, ‘Aura,’ an incident responder, later shared additional details on Twitter about their response to multiple Akira incidents. These incidents involved unauthorized access through Cisco VPN accounts lacking multi-factor authentication.
I'm just gonna go ahead and say it. If you have:
No MFA for it
So yeah, go look at your AD auth logs for 4624/4625 from a WIN-* machine in your user VPN range.
If you have a hit, may the IR Gods help you.
— Aura (@SecurityAura) August 5, 2023
A SentinelOne WatchTower report, shared exclusively with BleepingComputer, focused on the same attack method. The report suggests that Akira may have exploited an undisclosed vulnerability in Cisco VPN software, potentially bypassing authentication without the need for MFA.
SentinelOne has discovered evidence of Akira utilizing Cisco VPN gateways in leaked data that was posted on the group’s extortion page. Additionally, they have observed traits related to Cisco VPN in at least eight cases, suggesting that this is an ongoing attack strategy employed by the ransomware gang.
This finding highlights the sophisticated nature of their operations and underscores the need for heightened cybersecurity measures to protect against such threats.
Using Remote RustDesk To Navigate Compromised Networks
Moreover, the analysts at SentinelOne WatchTower have observed that Akira, a ransomware group, has been utilizing the RustDesk open-source remote access tool to navigate compromised networks. This marks the first instance of a ransomware group exploiting this software. Due to the legitimate nature of RustDesk, its presence is unlikely to trigger any suspicion, thus allowing for stealthy remote access to compromised computers.
There are several additional benefits associated with the use of RustDesk:
- Cross-platform compatibility with Windows, macOS, and Linux, expanding Akira’s range of targets.
- Encrypted peer-to-peer connections, reducing the likelihood of detection by network traffic monitoring tools.
- Support for file transfer, streamlining Akira’s toolkit and facilitating data exfiltration.
By leveraging RustDesk, Akira is able to enhance their capabilities while maintaining a low profile.
SentinelOne has identified several other tactics, techniques, and procedures (TTPs) employed by Akira in their recent attacks. These include unauthorized access and manipulation of SQL databases, the disabling of firewalls and enabling of Remote Desktop Protocol (RDP), the deactivation of LSA Protection, and the disabling of Windows Defender.
These subtle yet significant alterations are executed by the attackers once they have established their presence within the targeted environment and are prepared to progress to the final stages of their assault.
In late June 2023, Avast released a decryptor tool designed to counter the Akira ransomware, offering assistance to victims affected by earlier versions. However, the threat actors have since patched their encryption methods, rendering Avast’s tool ineffective against the newer iterations.