Summary:
A new blog post by Cisco Talos shed light on the activities of Akira ransomware, noting that the group is actively creating new variants of its encryptor and refining its TTPs to adapt to shifts in the threat landscape. In 2023 Akira typically employed a double-extortion tactic where victim data was exfiltrated before encryption. However in early 2024, Cisco Talos states that the group started focusing solely on data exfiltration, likely as a means to take time to retool its encryptor. Notably, around the same time, Akira operators were observed developing a Rust variant of their ESXi encryptor and moving away from C++ to experiment with different programming languages. However, more recently, the group has shifted back to its previous encryption methods, now using Windows and Linux encryptors written in C++.

"The newly observed Windows variant has been updated and appears to substitute the previously seen -remote argument for -localonly and --exclude and excludes paths, including "$Recycle.Bin" and "System Volume Information", in the encryption process. Within the Linux variant, the –fork argument, which creates a child process for encryption, is still included along with the --exclude argument. Analysis of the recent binaries suggests that the threat actor has pivoted to utilizing the ChaCha8 stream cipher. The ChaCha8 algorithm is faster and more efficient than the previously leveraged ChaCha20," note researchers.

Akira operators have also reverted back to the usual extortion model, threatening to release exfiltrated data on its data leak site if ransom is not paid to decrypt locked files.

Security Officer Comments:
While Akira continues to refine its encryptor and extortion tactics, the group has also been observed using compromised VPN credentials and actively researching/exploiting vulnerabilities to gain initial access to organizational networks. Notable vulnerabilities exploited by Akira affiliates include:

• CVE-2024-40766: An improper access control vulnerability in the SonicWall SonicOS management access could lead to unauthorized resource access and in specific conditions, cause the firewall to crash.
• CVE-2020-3259: Information disclosure vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software
• CVE-2023-20263: A vulnerability in the web-based management interface of Cisco HyperFlex HX Data Platform could allow an unauthenticated, remote attacker to redirect a user to a malicious web page.
• CVE-2023-48788: A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiClientEMS allows attacker to execute unauthorized code or commands via specially crafted packets.

Akira affiliates have also leveraged vulnerabilities impacting Cisco VPN services (CVE-2023-20269), VMware ESXi (CVE-2024-37085), and Veeam Backup & Replication (CVE-2024-40711) to establish persistence and move laterally after gaining an initial foothold.

Suggested Corrections:
Conduct regular vulnerability assessments and timely application of security patches to identify outdated software versions and unpatched vulnerabilities on ESXi hosts and implement a formal threat-informed patch management policy that includes a defined prioritization and schedule for routine updates and emergency patching of critical vulnerabilities.

Implement strict password policies that require complex, unique passwords for each account. Additionally, enforce multi-factor authentication (MFA) to add an extra layer of security.

Deploy a Security Information and Event Management (SIEM) system to continuously monitor and analyze security events, in addition to the deployment of EDR/XDR solutions on all clients and servers to provide advanced threat detection, investigation, and response capabilities.

Enable secure configuration and access controls to limit access to ESXi management interfaces such as by restricting them to trusted IPs, enforcing MFA, and ensuring role-based access control (RBAC) is properly configured.

Disable unnecessary WMI access by restricting or disabling WMI access for non-administrative users, and monitor/audit WMI commands, particularly those related to shadow copy deletion.

Credential dumping prevention via implementing Windows Defender Credential Guard to protect Kerberos ticket data and prevent credential dumping from the Local Security Authority (LSA), ensuring to audit and apply necessary configuration changes to applications/plug-ins that aren't compatible due to reliance on direct access to user credentials.

Link(s):
https://blog.talosintelligence.com/akira-ransomware-continues-to-evolve/