Akira Ransomware Takes Aim at Cisco VPNs to Infiltrate Organizations

A recent surge in evidence indicates that Akira, a relatively new strain of ransomware, is leveraging vulnerabilities in Cisco VPN products. This attack method provides a pathway for cybercriminals to infiltrate corporate networks and steal valuable data, ultimately encrypting it.

Akira Ransomware’s Introduction and Development

Launched in March 2023, Akira ransomware came onto the cybercrime scene. Not long after, the criminal group behind it added a Linux encryptor. This enhancement allowed them to target VMware ESXi virtual machines, expanding their reach.

Cisco VPN solutions are prevalent in numerous sectors. They facilitate secure, encrypted data communication between users and corporate systems. Remote employees frequently rely on these networks.

Akira has reportedly exploited compromised Cisco VPN accounts to enter corporate networks. This strategy does not require dropping additional backdoors or setting up persistent mechanisms that might reveal their presence.

Cisco VPNs Under Attack by Akira

Sophos initially discovered Akira’s misuse of VPN accounts in May. They found that the ransomware team broke into a network through “VPN access using Single Factor authentication.”

An incident responder named ‘Aura’ divulged more details on Twitter. Aura discussed their response to several Akira-related incidents, all of which involved Cisco VPN accounts lacking multi-factor authentication.

Aura told BleepingComputer that due to insufficient logging in Cisco ASA, the method used by Akira to gain VPN account credentials remains ambiguous. It’s unknown if the criminals brute-forced the credentials or acquired them on the dark web.

SentinelOne, in a private report, shared the possibility of Akira exploiting an unidentified weakness in Cisco VPN software. This flaw might enable them to bypass authentication if MFA is not present.

SentinelOne also detected Akira’s use of Cisco VPN gateways in leaked information. The security firm found evidence of this in at least eight instances, suggesting that it is part of Akira’s continuous attack plan.

Akira’s Utilization of Remote RustDesk Access

Besides exploiting VPNs, Akira has been seen using RustDesk, an open-source remote access tool. Akira’s use of RustDesk makes them the first known ransomware group to exploit this software.

RustDesk’s legal status means it’s less likely to cause alarm. Thus, it provides Akira with a discreet remote access to compromised computers. The benefits of RustDesk include:

  • Cross-platform compatibility with Windows, macOS, and Linux, extending Akira’s reach.
  • Encrypted P2P connections, reducing the risk of detection by network monitoring tools.
  • File transfer support, enabling easier data extraction and enhancing Akira’s capabilities.

Akira’s Recent Tactics and Ongoing Threat

SentinelOne has observed other methods used by Akira, including SQL database manipulation, firewall disabling, and LSA Protection deactivation. These actions typically occur after the attackers have established themselves and are preparing for their final assault phase.

In late June 2023, Avast released a free decryptor for Akira ransomware. Sadly, the threat actors have since updated their encryptors, rendering Avast’s tool ineffective against the latest versions.