The Akira ransomware gang has developed a novel approach to infiltrate corporate networks by utilizing an unsecured webcam. This method enables the group to bypass Endpoint Detection and Response (EDR) systems that typically protect against such attacks. The cybersecurity firm S-RM uncovered this unusual tactic during a recent incident response for a client.
How the Attack Unfolded
Initially, the Akira group gained access to the corporate network through an exposed remote access solution. This could have been accomplished via stolen credentials or by brute force. After breaching the network, the attackers deployed AnyDesk, a legitimate remote access tool, to steal sensitive data as part of their double extortion strategy.
Following this, they used Remote Desktop Protocol (RDP) to move laterally across systems within the organization. The ransomware payload was then prepared for deployment. However, the victim’s EDR software detected and quarantined a password-protected ZIP file containing the ransomware payload (win.exe), preventing the attack from proceeding.
In a statement, S-RM explained the attackers’ pivot:
“After this failure, Akira explored alternative attack pathways, scanning the network for other devices that could be used to encrypt the files and finding a webcam and fingerprint scanner.”
The Role of the Webcam
The Akira ransomware gang opted to exploit the webcam because it was vulnerable to remote shell access and unauthorized video feed viewing. Running on a Linux-based operating system, the webcam was compatible with Akira’s Linux encryptor and notably lacked an EDR agent. This made it an ideal candidate for remote encryption of files on network shares.
Overview of Akira’s attack steps
Source: S-RM
S-RM confirmed that the attackers utilized the webcam’s Linux operating system to mount Windows SMB network shares of the company’s other devices. They initiated the Linux encryptor from the webcam, successfully encrypting the network shares over SMB and bypassing the EDR software.
Undetected Malicious Activity
“As the device was not being monitored, the victim organisation’s security team were unaware of the increase in malicious Server Message Block (SMB) traffic from the webcam to the impacted server, which otherwise may have alerted them,” S-RM noted.
This allowed Akira to encrypt files across the victim’s network without detection.
The incident underscores that EDR protection is not foolproof. Organizations should not rely solely on EDR systems to safeguard against attacks. Furthermore, IoT devices, which are often less monitored than traditional computers, pose significant risks.
Preventative Measures
S-RM highlighted that patches for the webcam vulnerabilities were available, indicating that this attack vector could have been avoided. Organizations are urged to isolate IoT devices from sensitive networks and ensure all devices, including IoT, have their firmware updated regularly to mitigate risks.
Related Articles
- Fake BianLian ransom notes mailed to US CEOs in postal mail scam
- Microsoft Teams tactics, malware connect Black Basta, Cactus ransomware
Helpful Reads:
