The Akira ransomware group has been exploiting Cisco VPN (virtual private network) products as a strategic attack vector to infiltrate corporate networks, leading to data theft and subsequent encryption. This technique leverages the widespread adoption of Cisco VPN solutions, often used by remote employees for secure data transmission between users and company networks.

Launched in March 2023, Akira ransomware has swiftly become a threat, expanding its scope to target VMware ESXi virtual machines using a Linux encryptor. Researchers have identified that Akira has been capitalizing on compromised Cisco VPN accounts to infiltrate corporate networks without the need for additional backdoors or persistence mechanisms, thereby minimizing the chances of detection.

Sophos initially noticed the abuse of VPN accounts by Akira in May, highlighting that the group breached a network using “VPN access using Single Factor authentication.” Aura, an incident responder, later revealed that they had responded to multiple Akira incidents involving Cisco VPN accounts lacking multi-factor authentication protection. The specifics of how Akira acquired these credentials—whether through brute force or dark web market purchases—remain uncertain due to the lack of logging in Cisco ASA.

A SentinelOne WatchTower report has raised the possibility that Akira might exploit an undisclosed vulnerability in Cisco VPN software to bypass authentication in the absence of multi-factor authentication. Evidence of Akira’s use of Cisco VPN gateways was found in leaked data on the group’s extortion page, indicating a recurring strategy in their attack campaigns.

Furthermore, SentinelOne observed that Akira is the first ransomware group to misuse the RustDesk open-source remote access tool, offering stealthy access to compromised networks. RustDesk’s legitimate nature, cross-platform compatibility, encrypted P2P connections, and file transfer support make it an attractive option for surreptitious remote access.

Other tactics, techniques, and procedures (TTPs) observed by SentinelOne in Akira’s attacks include SQL database manipulation, firewall and RDP (Remote Desktop Protocol) manipulation, disabling LSA Protection, and disabling Windows Defender. These actions are carried out once the attackers have established their presence and are ready to progress to the final stages of their attack.

While Avast released a free decryptor for Akira ransomware in late June 2023, the group has since updated its encryptors, rendering the tool effective only against older versions. Cisco has confirmed that its VPN products support multi-factor authentication and encourages customers to enable logging on Cisco ASAs to enhance incident correlation and auditing across network devices.

Use our services to receive the best possible protection against Akira ransomware. 

Read the source article here