Camera off: Akira Deploys Ransomware via Webcam
Summary:
Security firm S-RM recently uncovered details of an Akira ransomware intrusion where the group was able to identify and compromise an unsecured webcam on the targeted network and further deploy ransomware (T1486 - Data Encrypted for Impact) from it without triggering detection from existing Endpoint Detection and Response (EDR) solutions in place. According to S-RM, the attack initially followed Akira's standard modus operandi, where the group first gained access to the victim’s network through an externally exposed remote access solution (T1133: External Remote Services). Once an initial foothold was obtained, they deployed AnyDesk.exe, a remote management and monitoring tool (T1219: Remote Access Software) to maintain persistent access while exfiltrating sensitive data (TA0010: Exfiltration).
As the attack progressed, the threat actor transitioned to using Remote Desktop Protocol (RDP) to move to another server on the victim's network. Note: Akira frequently employs RDP in their attacks, as it allows them to operate discreetly by blending in with legitimate system administrators who also use RDP for remote access (T1021.001: Remote Services: Remote Desktop Protocol). The attacker then attempted to deploy ransomware on a Windows server by downloading a password-protected zip file (‘win.zip’) (T1027: Obfuscated Files or information) containing the ransomware binary (‘win.exe’). However, the victim's EDR tool quickly detected and quarantined the zip file before it could be extracted and executed. Realizing their cover had been blown and that the EDR tool would block future attempts, the attacker pivoted and shifted tactics. Prior to the ransomware deployment, they had conducted a network scan to identify open ports, services, and connected devices (T1046: Network Service Discovery). This scan revealed several Internet of Things (IoT) devices on the victim’s network, including webcams and a fingerprint scanner. Recognizing an opportunity to evade detection, the attacker used these IoT devices to bypass the EDR tool and successfully deploy the ransomware via Server Message Block (SMB) (T1021.002: Remote Services: SMB/Windows Admin Shares), thus continuing the attack while avoiding further scrutiny.
Security Officer Comments:
Since its inception in 2023, Akira has compromised dozens of organizations across the globe residing in various sectors such as financial, manufacturing, real estate, healthcare, and much more. Akira operates under a ransomware-as-a-service model where it will recruit affiliates to gain initial access to victim environments and deploy the ransomware on its behalf. In return, affiliates get a portion of the ransom paid by victims. This model has worked well for Akira, allowing it to swiftly compromise victims without much hassle. Just this year alone, the IT-ISAC has attributed 116 attacks to Akira, which represents approximately 10.1% of all ransomware incidents observed, underscoring the gang's significant presence within the ransomware landscape.
The latest development highlights a growing trend among ransomware actors, such as Akira, who are increasingly exploiting IoT devices to gain initial access to victim environments and deploy their encryptors. In the campaign observed by S-RM, the targeted webcam was vulnerable to several critical issues, including remote shell capabilities and unauthorized camera viewing, which were left unaddressed and allowed Akira actors to successfully exploit them. Additionally, the camera was running a lightweight Linux operating system that permitted command execution similar to a standard Linux device. Given Akira's deployment of various ransomware variants, researchers note that this webcam was an ideal target for the group's Linux ransomware variant.
Suggested Corrections:
(S-RM) Preventing and remediating novel attacks like this one can be challenging. At a minimum, organizations should monitor network traffic from their IoT devices and detect anomalies. They should also consider adopting the following security practices:
IOCs can be accessed here.
Link(s):
https://www.s-rminform.com/latest-thinking/camera-off-akira-deploys-ransomware-via-webcam
Security firm S-RM recently uncovered details of an Akira ransomware intrusion where the group was able to identify and compromise an unsecured webcam on the targeted network and further deploy ransomware (T1486 - Data Encrypted for Impact) from it without triggering detection from existing Endpoint Detection and Response (EDR) solutions in place. According to S-RM, the attack initially followed Akira's standard modus operandi, where the group first gained access to the victim’s network through an externally exposed remote access solution (T1133: External Remote Services). Once an initial foothold was obtained, they deployed AnyDesk.exe, a remote management and monitoring tool (T1219: Remote Access Software) to maintain persistent access while exfiltrating sensitive data (TA0010: Exfiltration).
As the attack progressed, the threat actor transitioned to using Remote Desktop Protocol (RDP) to move to another server on the victim's network. Note: Akira frequently employs RDP in their attacks, as it allows them to operate discreetly by blending in with legitimate system administrators who also use RDP for remote access (T1021.001: Remote Services: Remote Desktop Protocol). The attacker then attempted to deploy ransomware on a Windows server by downloading a password-protected zip file (‘win.zip’) (T1027: Obfuscated Files or information) containing the ransomware binary (‘win.exe’). However, the victim's EDR tool quickly detected and quarantined the zip file before it could be extracted and executed. Realizing their cover had been blown and that the EDR tool would block future attempts, the attacker pivoted and shifted tactics. Prior to the ransomware deployment, they had conducted a network scan to identify open ports, services, and connected devices (T1046: Network Service Discovery). This scan revealed several Internet of Things (IoT) devices on the victim’s network, including webcams and a fingerprint scanner. Recognizing an opportunity to evade detection, the attacker used these IoT devices to bypass the EDR tool and successfully deploy the ransomware via Server Message Block (SMB) (T1021.002: Remote Services: SMB/Windows Admin Shares), thus continuing the attack while avoiding further scrutiny.
Security Officer Comments:
Since its inception in 2023, Akira has compromised dozens of organizations across the globe residing in various sectors such as financial, manufacturing, real estate, healthcare, and much more. Akira operates under a ransomware-as-a-service model where it will recruit affiliates to gain initial access to victim environments and deploy the ransomware on its behalf. In return, affiliates get a portion of the ransom paid by victims. This model has worked well for Akira, allowing it to swiftly compromise victims without much hassle. Just this year alone, the IT-ISAC has attributed 116 attacks to Akira, which represents approximately 10.1% of all ransomware incidents observed, underscoring the gang's significant presence within the ransomware landscape.
The latest development highlights a growing trend among ransomware actors, such as Akira, who are increasingly exploiting IoT devices to gain initial access to victim environments and deploy their encryptors. In the campaign observed by S-RM, the targeted webcam was vulnerable to several critical issues, including remote shell capabilities and unauthorized camera viewing, which were left unaddressed and allowed Akira actors to successfully exploit them. Additionally, the camera was running a lightweight Linux operating system that permitted command execution similar to a standard Linux device. Given Akira's deployment of various ransomware variants, researchers note that this webcam was an ideal target for the group's Linux ransomware variant.
Suggested Corrections:
(S-RM) Preventing and remediating novel attacks like this one can be challenging. At a minimum, organizations should monitor network traffic from their IoT devices and detect anomalies. They should also consider adopting the following security practices:
- Network restriction or segmentation: Place IoT devices on a segmented network that cannot be accessed from servers or user workstations or restrict the devices’ communication with specific ports and IP addresses.
- Internal network audit: Regularly audit devices connected to the internal network, which may help to identify security weaknesses or rogue devices implemented by a threat actor.
- Patch and device management: Keep devices, including IoT devices, regularly patched with the most recent update. Ensure default passwords of IoT devices are changed to unique and complex ones.
- Turn devices off: Keep IoT devices switched off when they are not in use.
IOCs can be accessed here.
Link(s):
https://www.s-rminform.com/latest-thinking/camera-off-akira-deploys-ransomware-via-webcam