Security providers, including Sophos and SentinelOne, note that the Akira ransomware is increasingly targeting Cisco VPN solutions. However, the attack vectors are not yet entirely clear.
The Akira ransomware is increasingly targeting Cisco’s VPN solutions. In May of this year, Sophos reported the existence this particular ransomware. Later, the security specialist also indicated that this ransomware variant is increasingly turning up for Cisco’s VPN solutions. Another less frequently affected target is VMware ESXi servers, for example.
The hackers would gain access to the Cisco VPN solutions via Single Factor authentication. In doing so, the compromised Cisco VPN accounts are used to penetrate corporate networks without using backdoors or other persistent mechanisms. This prevents the hackers from being easily detected.
Attack vectors unclear
Exactly how the Cisco VPN solutions are attacked cannot be clearly indicated. It seems to mainly involve Cisco VPN solutions that are not protected with multi-factor authentication, according to user Aura on X (Twitter). Whether VPN login credentials are cracked by the Akira ransomware via brute-force attack, for example, or have been traded on the darkweb is not entirely clear, according to this specialist.
SentinelOne is also conducting research, and BleepingComputer was given private access to that report. This security specialist focused his investigation on a possible exploit of an unknown vulnerability in the Cisco VPN software. This vulnerability could also be exploited by the hackers to bypass authentication when no MFA is present.
Use of RustDesk
Another attack vector, SentinelOne further indicates, might be the open-source remote access tool RustDesk. This tool was used by the Akira ransomware to navigate within compromised networks.
Since this is a legitimate tool, its presence is not flagged as threatening. This way, according to the security specialist, the ransomware gang can carry out their malicious activities unseen.
Since late June, Avast has already developed a decryptor for the Akira ransomware. Unfortunately, this decryptor is only suitable for older versions of the rapidly developing ransomware variant.