- S-RM describes how a company was attacked by Akira Ransomware Gang
- I was protected by an EDR solution, but it had an unprotected webcam
- The webcam allowed Akira to implement a Linux -based encrypper
Criminals from the Akira Ransomware Group have been found using an unknown webcam to launch their attack and encrypt the entire network of their goal.
This is in accordance with the S-RM cybersecurity researchers, who discovered that the threat actors first agreed to the remote access solution of their target, either on the edge of the login credentials or buying them in the black market. From there, they installed Anydesk to pivot other devices on the network, establish persistence and steal confidential data.
Then, they tried to implement the encrucador for Windows, but were arrested by the company’s ending detection and response (EDR). After reaching this obstacle, Akira looked for other devices, outside EDR’s attentive eye, and found a live webcam vulnerable to Shell’s remote access.
Avoidable incident
The webcam was executed in a different operating system based on Linux, allowing Akira to use its Linux encryption. Talking with BleepingcomputerS-RM said Akira used the webcam to set up the actions of the Windows Server (SMB) messages of the company’s other devices. Then, they encrypted the shares of the network on SMB, working successfully in EDR.
“As the device was not being monitored, the security team of the victim’s organization was not aware of the increase in traffic of malicious server messages from the webcam to the impacted server, which otherwise could have been alerted,” said S-RM.
To make things worse, S-RM confirmed that there was a solution for the available webcam, which means that the entire attack could have been avoided with timely patches.
No other details were revealed, so we do not know who the victims were, or what kind of files Akira stole in this attack. Nor do we know if the company paid any rescue demand, or if the stolen files reached the dark website.
Next to the infamous Lockbit, Akira is still one of the largest ransomware threats that exist, so users should be on guard.
