Finland Warns of Akira Ransomware Wiping NAS and Tape Backup Devices

The Finish National Cybersecurity Center recently sent out an advisory warning of an uptick in Akira Ransomware activity. In the latest set of attacks, Akira actors are going after network-attached storage devices as well as tape devices and wiping backups saved, making it difficult for victims to recover files. As a result, the agency recommends organizations switch to offline backups instead and distribute backups across various locations to prevent unauthorized access.

Security Officer Comments:
Like any other ransomware gang, Akira actors are known for exploiting known vulnerabilities to gain initial access to victim environments. One of the latest vulnerabilities abused by Akira actors is related to an improper separation of authentication bug (CVE-2023-20269) in the remote access VPN feature of Cisco Adaptive Appliance Software and Cisco Firepower Threat Defense (FTD) Software. The flaw is being abused by the actors to carry out brute force attacks and identify credentials that could be used to gain unauthorized access to a VPN session, where multifactor authentication is not enabled. Initial access is followed by going after backups and critical servers, stealing usernames and passwords from Windows servers, and encrypting files and the disks of virtual machines.

Suggested Corrections:
Organizations should actively patch systems against known vulnerabilities like CVE-2023-20269 when updates become available, enable multi-factor authentication, and create multiple backups of mission-critical data.