Akira Ransomware Gang Exploits Unsecured Webcam to Bypass EDR
The Akira ransomware gang has discovered a novel attack technique that uses an unsecured webcam to bypass Endpoint Detection and Response (EDR) tools, allowing them to launch encryption attacks on targeted networks. Cybersecurity researchers from S-RM team have identified this vulnerability, which highlights the importance of monitoring IoT devices and adopting comprehensive security strategies.
The Akira ransomware gang initially blocked by EDR installed on the victim's systems was initially quarantined, preventing its deployment across the network. However, the attackers gained access to the network via a remote access tool using AnyDesk for persistence and exfiltrating data. The attacker then moved to a server and attempted to deploy ransomware as a password-protected zip file, but EDR tools blocked it.
Realizing that EDR was active, the attackers pivoted by scanning the network for vulnerable devices, including unsecured IoT devices such as webcams and fingerprint scanners. They exploited a webcam affected by critical vulnerabilities, including remote shell access and no EDR protection, to bypass security defenses and deploy the ransomware.
The IoT device running a lightweight Linux OS was an ideal target for Akira's Linux ransomware variant, which was deployed with little delay after identifying the webcam as a suitable target. The lack of monitoring allowed the attacker to deploy ransomware unnoticed by the victim's security team, who failed to detect suspicious SMB traffic.
"After identifying the webcam as a suitable target, the threat actor began deploying their Linux-based ransomware with little delay," reads the report published by S-RM team. "As the device was not being monitored, the victim organization's security team were unaware of the increase in malicious Server Message Block (SMB) traffic from the webcam to the impacted server, which otherwise may have alerted them."
The Akira ransomware attack reveals the risks of overlooked IoT devices, evolving cyber threats, and EDR limitations. Weak links like unpatched IoT devices can be exploited, as seen with Akira's shift from Rust to C++ for broader attacks. Despite EDR's importance, gaps in coverage or misconfigurations allow attackers to bypass defenses, emphasizing the need for comprehensive security strategies.
"Preventing and remediating novel attacks like this one can be challenging," concludes the report. "At a minimum, organizations should monitor network traffic from their IoT devices and detect anomalies." To mitigate such risks, organizations are advised to adopt the following security practices:
- Turn devices off: Keep IoT devices switched off when they are not in use.
The Akira ransomware has been active since March 2023, with the threat actors claiming to have already hacked multiple organizations across various industries, including education, finance, and real estate. The group has developed a Linux encryptor to target VMware ESXi servers.
Stay Safe Online
If you're concerned about your organization's cybersecurity or want to learn more about protecting yourself from evolving threats like Akira ransomware, follow us on Twitter (@securityaffairs), Facebook, and Mastodon for the latest news and updates.