HQ/EMEAFind out how we can help your business
A newly discovered Akira ransomware group operation has exploited an unsecured webcam to execute encryption attacks on a victim’s network.
This campaign can bypass the Endpoint Detection and Response (EDR), which was preventing the encryptor in Windows. The researchers who identified this novel attack discovered it during a recent incident response at one of their companies.
The group allegedly only switched to the webcam after attempting to install encryptors on Windows, which the victim’s EDR solution prevented.
Akira ransomware operators may have also used brute-forcing tactics to execute the new campaign.
According to investigations, the Akira ransomware group initially acquired access to the corporate network through an exposed remote access solution at the target organisation, most likely by using brute-forcing tactics or through previously stolen credentials.
After getting access, they used AnyDesk, a genuine remote access app, to steal the company’s data in the double extortion attack. Akira then used Remote Desktop Protocol (RDP) to navigate laterally and establish persistence on as many systems as possible before releasing the ransomware payload.
Eventually, the threat actors dropped a password-protected ZIP file containing the ransomware payload, but the victim’s EDR program spotted and quarantined it, effectively preventing the attack.
Following the failure, Akira investigated new attack vectors, checked the network for other devices that may be used to encrypt the data, and discovered a webcam and fingerprint scanner. The researchers suspect that the attackers chose the webcam because it was susceptible to remote shell access and illegal video feed monitoring.
Furthermore, it used a Linux-based OS compatible with Akira’s Linux encryptor. It also lacked an EDR agent, making it an ideal device for remotely encrypting files on network shares.
As of now, there are patches for the webcam issues, indicating that the attack, or at least this vector, could be avoided. The instance shows that EDR protection is not a complete attack-proof security solution, and companies should not rely solely on it to defend against assaults.
Although IoT devices are not as closely monitored or maintained as computers, they still pose a substantial risk. These devices should be segregated from more critical networks, such as production servers and workstations.
