Akira Ransomware Targets Cisco VPNs to Breach Organizations Summary:

Cyber Security Threat Summary:
There's mounting evidence that Akira ransomware targets Cisco VPN (virtual private network) products as an attack vector to breach corporate networks, steal, and eventually encrypt data. Akira ransomware is a relatively new ransomware operation launched in March 2023, with the group later adding a Linux encryptor to target VMware ESXi virtual machines. Cisco VPN solutions are widely adopted across many industries to provide secure, encrypted data transmission between users and corporate networks, typically used by remotely working employees. Reportedly, Akira has been using compromised Cisco VPN accounts to breach corporate networks without needing to drop additional backdoors or set up persistence mechanisms that could give them away.

Akira’s targeting of Cisco VPNs was first spotted in May by cybersecurity firm Sophos, who stated that the ransomware gang was breaching networks using VPN access via single-factor authentication. More recently an incident responder known as Aura, shared on Twitter that they had responded to multiple Akira incidents using Cisco VPN accounts that didn’t have multi-factor authentication enabled. Aura further stated that due to the lack of logging in Cisco ASA, it remained unclear if the group was able to brute-force the VPN account credentials or if they bought them on the dark web.

Security Officer Comments:
According to SentinelOne, it is possible that Akira is exploiting an unknown vulnerability in Cisco VPN software that could allow the actors to bypass authentication in the absence of MFA. SentinelOne seems to be closely following this group’s activities. Based on attacks observed targeting Cisco VPNs, the group will deploy RustDesk, an open-source remote access tool, to navigate through compromised networks. The selection of RustDesk is due to it being cross-platform, allowing Akira to target Windows, macOS, and Linux systems. Furthermore, connections made using RustDesk are encrypted, making it less likely to be detected by security tools. In addition, the tool supports file transfer, allowing Akira to engage in data exfiltration and extortion activities.

“Other TTPs observed by SentinelOne in Akira's latest attacks include SQL database access and manipulation, disabling firewalls and enabling RDP, disabling LSA Protection, and disabling Windows Defender” (Bleeping Computer, 2023).

Suggested Correction(s):
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.

Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk- based assessment strategy to drive your patch management program.

Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?

Check Your Security Team's Work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.

Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety critical functions can be maintained during a cyber incident.

Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained how to avoid and spot phishing emails. Multi Factor authentication can help prevent malicious access to sensitive services.