Fri, Apr 19, 2024
In Q4 2023, Kroll identified an uptick in engagements involving Akira ransomware, a trend that has continued into 2024. Kroll observed that in the majority of cases, initial activity could be tracked back to a Cisco ASA VPN service.
Based on a review of cases, it is likely that this activity reflected previous reporting that affiliates distributing Akira were targeting VPNs that did not enforce multi-factor authentication and exploiting vulnerabilities in Cisco ASA and Firepower Threat Defense (FTD) services (CVE-2023-20263 and CVE-2020-3259).
First published on September 6, 2023, CVE-2023-20269 allows unauthenticated users to run a brute-force attack to identify valid credentials and establish a clientless SSL VPN session. At the time of publication, Cisco indicated that it was aware of the Akira ransomware group targeting the zero-day vulnerability in August 2023 by compromising organizations via Cisco VPNs that lacked multi-factor authentication.
This vulnerability stems from improper separation of authentication, authorization and accounting (AAA) between the remote access VPN feature and HTTPS management and site-to-site VPN features. The misconfiguration allows attackers to exploit the vulnerability by specifying a default connection profile/tunnel group, enabling brute-force attacks or the establishment of a clientless SSL VPN session using valid credentials.
In February 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added another Cisco vulnerability, CVE-2020-3259, to its catalog of known exploited vulnerabilities, following reports of its use for initial access by Akira. This CVE, if exploited, allows for an unauthenticated, remote attacker to retrieve memory contents of an affected device, thus disclosing confidential information such as credentials used to remotely log into the VPN. A patch was made available in 2020 to mitigate against this threat.
Cases observed by Kroll highlighted a similar fact pattern of intrusion activity once access occurred. This included persistence via remote management monitoring tools such as AnyDesk, the other internal network discovery via tools such as Advanced IP Scanner and Netscan to obtain Active Directory information. During this time, the actor used WinSCP for exfiltration and WinRar for compression. The actors leveraged Remote Desktop Protocol (RDP) or remote services creation to laterally move across systems and escalated privileges into a domain admin level account within two days of network access. Shortly after privilege escalation, Akira ransomware was deployed to encrypt systems.
Kroll Intrusion Lifecycle Stage | ATT&CK Technique |
---|---|
Initial Exploitation | T1133 External Remote Services |
Internal Scouting | T1219 Remote Access Software (AnyDesk) T1046 Network Service Discovery (Netscan) |
Toolkit Deployment | |
Exfiltration | T1048.003 – Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol (WinSCP) T1560.001 – Archive via Utility (WinRar) |
Lateral Movement | T1021.001 – Remote Services – Remote Desktop Protocol |
Mission Execution | T1486 – Data Encrypted for Impact |
While the best course of action to prevent the current wave of Akira activity is to patch for the known VPN vulnerabilities, parsing out the timeline of events once the threat actor accesses the network identifies places where organization may be able to detect on and deters this activity before it leads to network encryption. A multi-layered defense in depth strategy is key to helping organizations maintain cyber resilience.
Initial access attempts leveraging external remote services may be detected earlier by maximizing log visibility for edge devices:
For attackers that are not identified at access, Kroll typically sees the first stage of the intrusion focus on internal scouting. In this phase, they conduct reconnaissance within the network to identify and enumerate systems to help launch their attack. In the recently observed Akira campaign, threat actors leveraged legitimate tools such as AnyDesk and Netscan to help with network discovery. In this scenario, application whitelisting could help with detection:
Once actors have gained a foothold into systems and conducted internal scouting, a next step is likely to be lateral movement. Kroll observes many ransomware actors leveraging RDP for such movement within the network, typically with a goal of escalating privileges into an account with domain administrator level privileges. Kroll recommends the following to detect such activity inside the network:
The hands-on-keyboard objectives of threat actors like the Akira ransomware gang are focused on data theft and data encryption, which can be leveraged against the victim for financial extortion. Kroll has previously provided guidance on detecting exfiltration and recommends that organizations utilize endpoint monitoring tools such as EDR and next-gen antivirus for effective detection and deterrence.
The similarities between ransomware variants provide opportunities for defenders to protect themselves against a number of different attackers by setting up overarching rules capable of detecting and defeating this type of activity. To defend against ransomware such as Akira, Kroll’s Cyber Threat Intelligence (CTI) team advise organizations to take the following next steps:
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
Threat intelligence are fueled by frontline incident response intel and elite analysts to effectively hunt and respond to threats.
Stop cyberattacks. Kroll Responder managed detection and response is fueled by seasoned IR experts and frontline threat intelligence to deliver unrivaled response.
Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.
Kroll’s elite security leaders deliver rapid responses for over 3,000 incidents per year and have the resources and expertise to support the entire incident lifecycle, including litigation demands. Gain peace of mind in a crisis.
World-renowned cyber investigators and leading technology fuel Kroll’s managed security services, augmenting security operations centres and incident response capabilities.
In the event of a security incident, Kroll’s digital forensics investigators can expertly help investigate and preserve data to help provide evidence and ensure business continuity.