The Akira ransomware has been repeatedly spotted since mid-2023 by several security firms, but this time it has made headlines for targeting big fish: CISCO VPNs.
Key Findings
- Cisco VPN products are being exploited by the newly identified ransomware group Akira, which focuses on targeted attacks against corporate entities.
- Akira gang leverages vulnerabilities in Cisco VPNs to gain unauthorized access, enabling them to launch ransomware attacks and demand ransom for sensitive information.
- The Akira gang’s primary goal is to infiltrate and compromise corporate networks, particularly those lacking multi-factor authentication (MFA) for VPN access.
- Researchers suspect the hackers might have exploited a zero-day vulnerability, mainly affecting VPN accounts without MFA, to gain unauthorized access.
- Akira ransomware has been observed targeting various sectors, including education, real estate, healthcare, manufacturing, and corporations, indicating a broad and persistent threat to diverse industries.
Multiple cybersecurity firms have confirmed that Cisco VPN products are being targeted with ransomware, and the perpetrators are members of a relatively new gang identified as Akira.
Corporate entities are the primary target of this ransomware campaign, solely aimed at obtaining sensitive information and making money through ransom. All that Akira members need is to log into the accounts from the VPN service.
However, researchers couldn’t determine how the hackers gained access to Cisco VPN’s accounts’ login credentials in the first place, considering that Cisco ASA doesn’t feature a logging function.
Akira ransomware has been repeatedly spotted since mid-2023 by several security firms. For instance, Sophos detected it in May and reported that the gang utilized VPN access to target their desired networks through Single-factor authentication.
In another report, an incident responder using the alias SecurityAura stated that Akira could only compromise those VPN accounts that didn’t feature (multi-factor authentication).
I’m just gonna go ahead and say it. If you have:
Cisco VPN
No MFA for itYou may get a surprise knock from #Akira #Ransomware soon.
So yeah, go look at your AD auth logs for 4624/4625 from a WIN-* machine in your user VPN range.
If you have a hit, may the IR Gods help you.
— Aura (@SecurityAura) August 5, 2023
Some researchers believe that attackers may have used brute force to compromise these accounts or bought access from a third party via a dark web marketplace. SentinelOne’s research published on 23 August highlighted that the hackers might have used a zero-day vulnerability that mainly impacted accounts without having MFA.
SentinelOne researchers also noted that threat actors have become increasingly interested in inserting ransomware into the codebases of popular products, especially VPNs. Their most preferred ransomware families include Conti, LockBit, and Babuk.
Regarding Akira, SentinelOne researchers wrote that the malware’s Linux variant was discovered in June 2023 but the operations have been active since April 2023. Attackers deliver Akira by exploiting vulnerable public services and applications. Per SentinelOne researchers, they are more inclined to target MFA-based vulnerabilities.
Akira’s attack scope is vast as it targets educational institutions, real estate, healthcare, and manufacturing sectors apart from corporations. Linux versions of Akira ransomware are based on the Crypto++ library for enabling encryption on targeted devices. Akira’s brief command set doesn’t contain options to shut down VMs before encryption.
However, the attacker can control encryption speed and the possibility of data recovery by the victim through the -n parameter. This means if the encryption speed is fast, there is a dim chance that the victim will recover the data using decryption tools. If the speed is slow, there is a good chance the victim can recover data.
Akira’s activities were first detected by a US-based cybersecurity firm Arctic Wolf in March 2023. Per their research, attackers’ main targets were small to medium-sized businesses worldwide, with a considerable focus on the US and Canada. Researchers also found links between Akira and Conti operators.
Akira decryptor was released by Avast in late June 2023 but the ransomware operators updated the encryptor so decryption may only work on older versions.
Cisco VPN products are popular among businesses. Organizations rely on it for the secure transmission of data between networks/users. It is considered mandatory for hybrid and remote workers. This explains why threat actors might be interested in exploiting it. Organizations must remain vigilant and ensure foolproof digital security to prevent data loss and extortion attempts from ransomware operators.
In this regard, My1Login CEO Mike Newman has shared some tips with Hackread.com for organizations to stay protected. “With VPNs providing a direct tunnel, deep into an enterprise’s network, this is not the type of access you ever want to fall into the hands of malicious actors.”
“The best way to protect this access is by implementing two-factor authentication, so any organisation using Cisco VPNs must do this as a priority. But it’s also a practice that should be applied to any business using a VPN,” Mike added.
“VPNs are a direct route into the enterprise network, and they open the organisation’s networks up to the outside world, Securing this with multiple layers of authentication is a standard best practice and one of the best ways to avoid getting caught up in incidents like these.”
“Furthermore, it is also critical to implement policies against password reuse as this reduces the risk of one set of breached credentials on the dark web enabling access to other applications and services,” said Mike.
