Emerging evidence indicates that the Akira ransomware specifically targets Cisco VPN (virtual private network) products, exploiting them as primary avenues to infiltrate corporate networks, exfiltrate, and subsequently encrypt valuable data.

The Akira ransomware initiative commenced in March 2023, and the group behind it soon introduced a Linux encryptor, aiming at VMware ESXi virtual machines.

Cisco’s VPN solutions enjoy extensive adoption across diverse sectors, functioning as a bridge for secure, encrypted data communication between users and their corporate infrastructure, most commonly leveraged by employees working from remote locations.

Sources suggest that Akira has successfully exploited compromised Cisco VPN credentials to infiltrate corporate environments. This technique eliminates the need for the attackers to deploy additional backdoors or establish persistent presence mechanisms which could potentially expose them.

Akira’s Cisco VPN exploits

In May, Sophos initially highlighted Akira’s exploitation of VPN accounts. During that period, research showed that the malicious group had infiltrated a network by leveraging “VPN access using Single Factor authentication.”

Subsequently, an incident responder, identified as ‘Aura,’ disclosed on social media about their involvement in addressing numerous Akira-related breaches. These breaches were executed using Cisco VPN credentials that had not incorporated multi-factor authentication.

During a discussion with BleepingComputer, Aura mentioned that due to inadequate logging capabilities in Cisco ASA, it remained ambiguous whether Akira had forced their way into the VPN account credentials or procured them from shadowy online marketplaces.

BleepingComputer had access to a confidential SentinelOne report, focusing on the same mode of attack. The document highlighted the potential of Akira exploiting an unidentified flaw in the Cisco VPN software, possibly circumventing authentication, especially when multi-factor authentication is absent.

SentinelOne observed traces of Akira engaging with Cisco VPN gateways in data leaks displayed on the group’s blackmail page. Further examination identified Cisco VPN-associated characteristics in at least eight scenarios, suggesting that this method is a consistent strategy employed by the malevolent group.

Remote RustDesk Utilization

SentinelOne experts also noticed Akira’s adoption of the RustDesk open-source remote access instrument to maneuver through compromised networks. This marks Akira as the pioneering ransomware entity to misuse this software.

Given RustDesk’s status as a legitimate tool, its presence is often overlooked, granting clandestine remote access to compromised systems.

Utilizing RustDesk offers multiple advantages:

• Universal compatibility with Windows, macOS, and Linux, encapsulating Akira’s broad spectrum of targets.
• Peer-to-peer encrypted communications, reducing chances of detection by network surveillance tools.
• Built-in file transfer capabilities, enhancing Akira’s data extraction efficiency.

SentinelOne’s recent observations of Akira’s maneuvers include SQL database interactions, manipulation, firewall deactivations, RDP activations, disabling of LSA Protection, and neutralizing Windows Defender.

Such overt alterations are executed once the adversaries consolidate their footing and are primed for the concluding stages of their onslaught.

In a development from late June 2023, Avast unveiled a complimentary decryption tool for Akira ransomware. Nevertheless, the culprits have since upgraded their encryption tools, rendering Avast’s utility effective solely for prior versions.