Operators of Akira, a relatively new entrant to the ransomware scene, have been targeting businesses using Cisco’s VPN products.
By logging into compromised accounts, Akira’s members were able to breach corporate endpoints, steal sensitive data, and ultimately deploy ransomware.
This is according to research made by multiple cybersecurity firms, although what these firms can’t know for sure, is how Akira obtained the login credentials for the VPN service.
Brute-forcing their way in?
Sophos, for example first spotted Akira in May 2023, saying the group accessed target networks through “VPN access using Single Factor authentication.” Another incident responder, going by the alias Aura, noted that Akira managed to compromise these accounts because they weren’t protected with multi-factor authentication (MFA).
Because Cisco ASA doesn’t have any logging features, the researchers can’t know for sure. Some speculate Akira might have brute-forced its way into these accounts, too, while others are of the opinion that the access was bought from a third party on a dark web forum. Researchers from SentinelOne, however, think a zero-day might be at play here, as well. Apparently, the researchers believe the flaw affects accounts without MFA set up.
Cisco’s VPN offerings are among the most popular ones among business users, with numerous organizations using them to securely transmit data between users and networks. By some, the tools are considered a must for remote and hybrid workers.
It is also worth mentioning that cybersecurity experts from Avast published a decryptor for Akira in late June this year, which can be downloaded for free. However, Akira has since responded and updated its encryptor. Thus, the decryption will only work on older varians and businesses should not be overly confident they can salvage their sensitive data in case of an attack.