- S-RM outlines how a company was targeted by Akira ransomware gang
- It was protected by an EDR solution, but had an unprotected webcam
- The webcam allowed Akira to deploy a Linux-based encryptor
Criminals from the Akira ransomware group have been found using an unsecured webcam to launch their attack and encrypt their target’s entire network.
This is according to cybersecurity researchers S-RM, who found the threat actors first accessed their target’s remote access solution, either by brute-forcing the login credentials, or buying them off the black market. From there, they installed AnyDesk to pivot to other devices on the network, establish persistence, and steal sensitive data.
Then, they tried to deploy the encryptor for Windows, but were stopped by the company’s Endpoint Detection and Response (EDR) mechanism. After hitting this roadblock, Akira looked for other devices, outside EDR’s watchful eye, and found a live webcam vulnerable to remote shell access.
Avoidable incident
The webcam ran on a different operating system based on Linux, allowing Akira to use its Linux encryptor. Speaking to BleepingComputer, S-RM said Akira used the webcam to mount Windows Server Message Block (SMB) network shares of the company’s other devices. Then, they encrypted the network shares over SMB, successfully working around EDR.
“As the device was not being monitored, the victim organization’s security team were unaware of the increase in malicious Server Message Block traffic from the webcam to the impacted server, which otherwise may have alerted them,” S-RM said.
To make matters worse, S-RM confirmed that a fix for the webcam was available, meaning the entire attack could have been avoided with timely patching.
Other details were not disclosed, so we don’t know who the victims were, or what type of files Akira stole in this attack. We also don’t know if the company paid any ransom demands, or if the stolen files made it to the dark web.
Next to the infamous LockBit, Akira remains one of the bigger ransomware threats out there, so users should be on their guard.
Leave a comment