Listen to this Post
The Akira ransomware gang recently exploited an unsecured webcam to launch encryption attacks on a victim’s network, bypassing Endpoint Detection and Response (EDR) systems. This unconventional method allowed them to circumvent Windows-based EDR solutions that initially blocked their encryptor. Cybersecurity firm S-RM discovered this attack during an incident response, highlighting the evolving tactics of ransomware groups.
You Should Know:
1. Endpoint Detection and Response (EDR) Bypass:
EDR tools are designed to detect and block malicious activities on endpoints. However, attackers are increasingly targeting non-traditional devices like IoT (Internet of Things) devices to bypass these defenses.
2. Linux-Based Exploits:
The webcam used in this attack ran on a Linux-based operating system, which was compatible with Akira’s Linux encryptor. This highlights the importance of securing IoT devices, especially those running Linux.
3. Remote Desktop Protocol (RDP) Abuse:
Attackers used RDP to move laterally across the network after gaining initial access. Ensure RDP is secured with strong passwords, multi-factor authentication, and network-level restrictions.
4. AnyDesk for Lateral Movement:
The attackers deployed AnyDesk, a legitimate remote access tool, to maintain persistence and exfiltrate data. Monitor for unauthorized remote access tools in your environment.
5. Password-Protected ZIP Files:
Akira used a password-protected ZIP file (win.zip) to deliver the ransomware payload (win.exe). Educate users about the risks of opening unsolicited files, even if they appear harmless.
Practice Verified Commands and Codes:
Linux Security Commands:
1. Check for Open Ports on IoT Devices:
Use `nmap` to scan for open ports on IoT devices:
nmap -p 1-65535 <IP_ADDRESS>
2. Secure SSH Access:
Disable root login and change the default SSH port:
sudo nano /etc/ssh/sshd_config
Modify the following lines:
PermitRootLogin no Port 2222
Restart the SSH service:
sudo systemctl restart sshd
3. Monitor Network Traffic:
Use `tcpdump` to capture and analyze network traffic:
sudo tcpdump -i eth0 -w capture.pcap
4. Check for Unauthorized Processes:
List running processes and their associated users:
ps aux
Windows Security Commands:
1. Enable EDR Logging:
Ensure EDR logging is enabled and configured to detect unusual activities:
Get-MpComputerStatus
2. Restrict RDP Access:
Use Group Policy to restrict RDP access to specific users:
gpedit.msc
Navigate to:
`Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections`
Set “Allow users to connect remotely using Remote Desktop Services” to Enabled.
3. Monitor for Unauthorized Software:
Use PowerShell to list installed software:
Get-WmiObject -Class Win32_Product | Select-Object -Property Name, Version
4. Block Suspicious IPs:
Use Windows Firewall to block suspicious IPs:
New-NetFirewallRule -DisplayName "Block Malicious IP" -Direction Inbound -Action Block -RemoteAddress <IP_ADDRESS>
What Undercode Say:
The Akira ransomware attack underscores the importance of securing all devices on a network, including IoT devices like webcams and fingerprint scanners. Traditional security measures like EDR are no longer sufficient on their own. Organizations must adopt a multi-layered security approach, including:
- Regularly updating and patching all devices.
- Implementing network segmentation to limit lateral movement.
- Monitoring for unusual activities on IoT devices.
- Educating employees about phishing and social engineering tactics.
By combining these strategies with robust endpoint and network security, organizations can better defend against evolving ransomware threats.
Relevant URLs:
References:
Reported By: Phuong Nguyen – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
