Evidence is mounting that the Akira ransomware group has been strategically targeting Cisco VPN products to infiltrate corporate networks, leading to data theft and eventual encryption. This relatively new ransomware operation, launched in March 2023, has recently expanded its tactics by introducing a Linux encryptor to target VMware ESXi virtual machines. The widespread adoption of Cisco VPN solutions in various industries, especially for remote work scenarios, makes them an attractive entry point for cybercriminals.
Akira ransomware’s exploitation of compromised Cisco VPN accounts enables it to breach corporate networks without the need for additional backdoors or persistence mechanisms. Sophos initially reported on this strategy in May, highlighting the group’s use of “VPN access using Single Factor authentication.”
However, further investigation by an incident responder known as ‘Aura’ revealed the use of Cisco VPN accounts lacking multi-factor authentication. The methods employed by Akira to acquire these VPN credentials, such as brute-forcing or purchasing from dark web markets, remain uncertain.
SentinelOne’s analysis suggests that Akira may be capitalizing on an unidentified vulnerability in Cisco VPN software, potentially bypassing authentication without multi-factor protection. Additionally, the group has employed the RustDesk open-source remote access tool to navigate compromised networks, making them the first ransomware group to misuse this legitimate software.
RustDesk’s stealthy nature allows undetected remote access, with cross-platform operation and encrypted peer-to-peer connections that facilitate data exfiltration. The researchers also discovered other tactics used by Akira, including SQL database manipulation and disabling security features.
While Avast released a decryptor for Akira ransomware in June 2023, the threat actors have since patched their encryptors, limiting the tool’s effectiveness to older versions. These findings underline the evolving and sophisticated nature of ransomware attacks, highlighting the importance of strong cybersecurity measures, especially regarding VPN security, to protect organizations from such threats.
