Thursday November 21, 2024

Advisory ID: NCC-CSIRT-240823-032

Summary: Sophos researchers have uncovered Akira ransomware exploiting an undisclosed vulnerability in Cisco's virtual private network (VPN) software. This vulnerability potentially allows for authentication bypass in cases where multi-factor authentication (MFA) is not in place. The perpetrators behind Akira ransomware are capable of infiltrating corporate networks, exfiltrating data, and subsequently encrypting it.

Threat Type(s): Ransomware

Impact/Vulnerability: HIGH/HIGH

Product(s): Windows and Linux Systems

Platform(s):  Cisco Virtual Private Networks

Version(s): All Versions 

Description: The researchers noted a prevalent trend in Akira infiltrations, often initiated by threat actors utilizing compromised credentials, which can potentially be acquired from the dark web. Akira frequently gains access to targeted Windows and Linux systems through Cisco VPN services, particularly in cases where users have not implemented multi-factor authentication. Upon infecting a system with Akira, the malware takes steps to eliminate backup folders that might be employed for data recovery. Subsequently, it encrypts files with specific extensions and appends the ".akira" extension to each of them.

Cisco VPN solutions are extensively adopted in various sectors to establish secure, encrypted data transfer between users and corporate networks, especially for remote employees. According to the researchers, Akira follows the ransomware-as-a-service (RaaS) model and represents a rapidly escalating threat that capitalizes on compromised credentials to breach systems. A significant number of Akira victims lacked multi-factor authentication (MFA) on their VPNs. Additionally, the actors orchestrating Akira employ malicious email attachments, malicious ads, and pirated software as distribution vectors for the ransomware. Exploiting unpatched vulnerabilities in VPN endpoints is another avenue through which the threat spreads

Consequences: Akira’s attackers engages in double extortion tactics, exfiltrating victim’s data prior to encryption and threatening to release the data publicly unless a ransom is paid.

Solution: 

  • Activate multi-factor authentication for your VPNs.
  • Regularly back up your data.
  • Exercise caution when encountering unexpected email attachments to prevent potential Akira ransomware infection.
  • Consistently update and patch vulnerabilities in Cisco VPNs.
  • Before interacting with ads, verify the authenticity of the site through its URL.

Avoid using pirated software and refrain from downloading unverified apps from Google Play.

References:

https://www.bleepingcomputer.com/news/security/akira-ransomware-targets-cisco-vpns-to-breach-organizations/

https://www.safebreach.com/resources/akira-ransomware-8base-threat-coverage/

https://www.redpacketsecurity.com/akira-ransomware-targets-cisco-vpns-to-breach-organizations/

https://cyware.com/news/akira-ransomware-targets-cisco-vpns-to-breach-organizations-120e5b1c/

https://malwaretips.com/threads/akira-ransomware-targets-cisco-vpns-to-breach-organizations.125290/