The Akira ransomware gang employed a highly unorthodox attack method to circumvent Endpoint Detection and Response (EDR) security measures. Initially, the threat actors gained access to the victim’s network via an exposed remote access solution, likely exploiting stolen credentials or brute-forced passwords. Once inside the network, the attackers deployed AnyDesk, a legitimate remote access tool, to gain further access to sensitive data. This data was subsequently used for a double extortion attack, where the attackers threatened to release the stolen information unless a ransom was paid. Moving laterally across the network using Remote Desktop Protocol (RDP), Akira was able to expand their presence across multiple systems within the company, eventually preparing to deploy ransomware onto the victim’s devices.
When Akira attempted to drop the ransomware payload in the form of a password-protected ZIP file, the victim’s EDR tool detected and quarantined the payload, successfully blocking the attack.
Undeterred, the attackers began to search for alternative devices that could be leveraged for encryption. During this search, they discovered a webcam and a fingerprint scanner within the network. The webcam, running a Linux-based operating system, was found to be particularly vulnerable as it lacked any EDR software and was not being monitored by the victim’s security team. This made it an ideal device for the attackers to exploit and mount network shares from other devices on the victim’s network.
Once the attackers gained access to the webcam, they used it to mount Windows SMB network shares from other devices on the network, enabling them to carry out the encryption process.
By using the webcam’s Linux operating system, which was compatible with Akira’s Linux encryptor, they were able to bypass the victim’s EDR system and encrypt files across the network. This encryption attack went unnoticed because the webcam, being an Internet of Things (IoT) device, was not subject to the same level of scrutiny as the victim’s primary network systems. The increase in malicious Server Message Block (SMB) traffic originating from the webcam went undetected, and the victim’s security team was unaware of the attack until it was too late.
S-RM, the cybersecurity firm investigating the incident, explained that the flaws in the webcam could have been mitigated if patches were applied. The attack highlights the limitations of relying solely on EDR protection, as it can be circumvented if devices outside the primary security perimeter are exploited. The incident also serves as a reminder of the growing risks posed by IoT devices, which are often overlooked in security protocols and not closely monitored or updated. To reduce the risk of such attacks, organizations must isolate IoT devices from sensitive network areas, apply regular firmware updates, and adopt a multi-layered security strategy that extends beyond traditional EDR solutions to protect against sophisticated threats.
