Akira Ransomware Exploits Cisco VPNs in Attacks

The cybersecurity community is sounding alarms, as a recently identified ransomware named Akira continues to exploit Cisco VPN products and use them as an attack vector. Launched in March 2023, Akira has quickly established itself as a formidable threat.

Akira has already gained notoriety for compromising multiple industries, including education, finance, real estate, healthcare, and manufacturing. Several reports show that Akira has been successfully breaching these networks via compromised Cisco VPN accounts. Once inside, the threat actors may exfiltrate sensitive data and then subsequently deploy their ransomware encryption.

Sophos security firm highlighted incidents in May 2023 where Akira accessed target networks by compromising VPN accounts reliant on single-factor authentication. As logging wasn’t configured in the Cisco ASA in these attacks, it's difficult to definitively say how Akira got the credentials for these VPN accounts — while some speculate brute-forcing, others suspect the credentials might be bought from the dark web.

SentinelOne, a cybersecurity firm, also presented the possibility of a zero-day vulnerability in the Cisco VPN software to BleepingComputer. This potential flaw might allow hackers to bypass authentication in cases where MFA is absent.

By late June 2023, the cybersecurity landscape saw a momentary sigh of relief when Avast, a security solutions provider, released a free decryptor for Akira ransomware. This tool promised victims a way out without paying ransoms. However, this respite was short-lived. The Akira operatives swiftly patched their encryptors, rendering Avast's solution ineffective for newer versions.

Mike Newman, CEO of My1Login, emphasized the gravity of the situation with Hackread.com: "With VPNs providing a direct tunnel into an enterprise’s network, this access should never fall into the hands of malicious actors." He strongly advocates for two-factor authentication and discourages password reuse, shedding light on the importance of these measures in the face of evolving threats like Akira.

In light of the escalating threat, Cisco has advised all its customers to implement MFA. They also recommend setting up logging and redirecting this data to remote syslog servers. This will help the auditing of security incidents if they were to occur.

With Akira's evident widespread reach, businesses must remain vigilant, reinforcing their cybersecurity strategies and keeping their guard up against this emerging threat.