Security Intelligence
Loading table of contents...
The Akira ransomware gang was recently observed using a highly unusual attack vector to compromise a victim with ransomware. After traditional methods of compromising the victim had failed, the threat actor scanned the network for other devices that could be used to encrypt the files.
They discovered an unsecured webcam vulnerable to remote shell access and subsequently used its Linux operating system to mount Windows SMB network shares of the company's other devices. They then launched the Linux version of the Akira encryptor on the webcam and used it to encrypt files across the victim's network via the Server Message Block (SMB) protocol.
Stay on top of emerging threats.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
Since the victim's EDR solution was not monitoring the webcam, the victim’s security team was not advised of the increase in malicious SMB traffic from the webcam to the impacted server.
Source: Bleeping Computer
Analysis
This incident highlights the broader vulnerabilities inherent in IoT devices, which often lack robust security configurations and are not typically monitored by standard EDR solutions. By compromising such devices, threat actors can establish footholds within networks, circumventing conventional defenses and emphasizing the necessity for comprehensive security strategies that encompass all network-connected devices.
Moreover, Akira's adaptive tactics reflect a growing trend among ransomware groups to innovate in response to enhanced security measures, rather than simply give up. The use of legitimate remote access tools, such as AnyDesk, and the exploitation of unsecured IoT devices indicate a sophisticated understanding of network architectures and potential weak points. This adaptability not only complicates detection and response efforts but also underscores the critical need for organizations to implement holistic security approaches.
Mitigation
Field Effect’s Security Intelligence professionals constantly monitor the cyber threat landscape for ransomware-related threats. Field Effect MDR users are automatically notified if ransomware is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
While defending against ransomware attacks may seem intimidating, even a few simple, easy-to-implement best practices can help prevent attacks. Field Effect recommends that organizations adopt the following best practices:
Backup your data
Regular backups of sensitive and important information can help ensure business continuity during a ransomware attack. These backups should be stored somewhere different than the operational network so that they will not be encrypted during an attack and, thus, can be used to restore devices.
Update and patch software
Regular patching, updating, and maintenance help protect against or eliminate known cybersecurity vulnerabilities in IT systems. This is one of the most important steps you can take to improve your security.
Protect systems connected to the internet
Using a DNS firewall limits access to known malicious websites, helping to defend against potential social engineering attacks while blocking malicious code and securing access to cloud apps and corporate websites. Leveraging a virtual private network (VPN) can also help, giving workers a secure means of accessing corporate data or otherwise connecting to networks from remote locations.
Secure IoT Devices
It is imperative for organizations to ensure that IoT devices are secured and monitored alongside traditional endpoints. Implementing network segmentation, regular vulnerability assessments, and extending EDR capabilities to encompass a wider array of devices are essential steps in mitigating such sophisticated attack vectors.
Develop a culture of cybersecurity
Organizations should train employees to watch for and understand the tricks attackers use, spot and avoid potential phishing links, and flag requests for personal information or credentials.
Strong password policies, password managers, and multifactor authentication (MFA) also make it more difficult for threat actors to guess, brute force, or use stolen credentials.
Use a cybersecurity solution
Staying ahead of ransomware demands a view into what’s happening across your IT environment. Cybersecurity solutions like Field Effect MDR that detect and respond to suspicious activity across networks, end-user devices, and cloud services can help identify and mitigate potential threats early.
