Listen to this Post
The Akira ransomware group has been observed targeting unpatched IoT devices, such as webcams, to deploy ransomware while evading traditional EDR detection. This incident highlights the critical importance of network segregation, patch management, and device monitoring. As Threat Hunters, it is essential to focus on detecting anomalies in file share access and SMB connections from non-onboarded devices.
You Should Know:
1. Audit File Share Anomalies
- Enable the ‘Audit File Share’ policy to monitor network share access.
- Key Security Event IDs to monitor:
- 5140: Network share object accesses.
- 5145: Network share object access attempts.
- 5143: Modifications to share objects.
- Look for anomalies originating from non-onboarded devices targeting Windows administrative shares.
PowerShell Command to Enable Audit File Share Policy:
auditpol /set /subcategory:"File Share" /success:enable /failure:enable
2. SMB Connections from Non-Onboarded Devices
- Hunt for devices not onboarded in your EDR making SMB connections to onboarded hosts.
- Use KQL (Kusto Query Language) to identify inbound SMB connections from non-onboarded devices.
Example KQL Query:
DeviceNetworkEvents | where ActionType == "InboundConnection" | where RemoteDeviceName !in (DeviceInfo | summarize by DeviceName) | join kind=inner (DeviceInfo | summarize by DeviceName, DeviceId) on $left.RemoteDeviceName == $right.DeviceName | project Timestamp, DeviceName, RemoteDeviceName, RemoteIP, RemotePort | order by Timestamp asc
3. Patch Management
- Regularly update IoT devices and endpoints to mitigate vulnerabilities.
- Use the following command to check for missing updates on a Windows system:
Get-WindowsUpdate -Install
4. Network Segregation
- Implement VLANs and firewall rules to isolate IoT devices from critical network segments.
- Example command to add a firewall rule in Linux:
sudo iptables -A INPUT -p tcp --dport 445 -j DROP
What Undercode Say:
The Akira ransomware incident underscores the need for proactive threat hunting and robust security practices. By enabling detailed logging, monitoring SMB connections, and ensuring timely patching, organizations can mitigate risks associated with unpatched IoT devices. Additionally, network segregation and granular logging policies are essential for detecting and preventing similar attacks.
Further Reading:
Stay vigilant and keep your systems updated to stay ahead of evolving threats.
References:
Reported By: Coenemichel Camera – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅



