FacebookTwitterLinkedIn

Akira Ransomware Bypass EDR Via Unpatched Webcam

Karolis Liucveikis Written by on

In a recent attack by Akira ransomware threat actors, attempts to encrypt data were initially stopped; however, an unpatched webcam proved to be the entry point threat actors were looking for and managed to bypass Endpoint Detection and Response Software installed on the enterprise machines.

Akira Ransomware Bypass EDR Via Unpatched Webcam

The details of the incident are covered in a blog post published by security firm S-RM. Upon analysis, it was discovered that the installed EDR software had identified and quarantined the ransomware binary. This initially at least prevented Akira's ability to deploy the malicious code across the victim's environment to encrypt data and subsequently demand a ransom.

Up until the discovery of an unpatched webcam, Akira threat actors followed their tried and tested playbook. After compromising the victim's network via an externally facing remote access solution, the group deployed AnyDesk.exe, a remote management and monitoring tool, to retain access to the network.

Data was then exfiltrated to support double extortion tactics and pressure the enterprise to pay the ransom, knowing the attacker has already stolen vast amounts of data.

S-RM researchers then summarized the next phase of the attack by stating,

During the latter stages of the attack, the attacker moved to a server on the victim's network via remote desktop protocol (RDP). Akira commonly uses RDP as it enables them to interact with endpoints and blend in with system administrators, who use RDP legitimately. The threat actor initially attempted to deploy the ransomware on one of the Windows servers as a password-protected zip file ('win.zip') that contained the ransomware binary ('win.exe'). However, the victim's EDR tool immediately identified and quarantined the compressed file before it was unzipped and deployed.

It is believed that at this point, the threat actor likely realized they had tripped the EDR and couldn't proceed with the data encryption phase of the attack. However, the attacker had performed a network scan when initial access was gained to the network and discovered several Internet of Things (IoT) devices sharing the network, including the aforementioned webcam.

Researchers believed the attacker quickly pivoted to targeting the IoT devices, and in particular the webcam, for three main reasons, those being:

  1. The webcam had several critical vulnerabilities, including remote shell capabilities and unauthorized remote viewing of the camera.
  2. It was running a lightweight Linux operating system that supported command execution as if it were a standard Linux device, making the device a perfect candidate for Akira's Linux ransomware variant.
  3. The device did not have any EDR tools installed on it, leaving it unprotected. In fact, due to the limited storage capacity, it is doubtful that any EDR could be installed at all.

Once the threat actor discovered that the webcam was both vulnerable to attack and was not monitored by the installed EDR, they proceeded to install a Linus version of the ransomware. Speaking to Bleeping Computer, SR-M said that patches for the vulnerable webcam were available at the time of the attack, meaning that this attack vector could have been denied to the attacker.

As the device was not being monitored, the victim organization's security team was unaware of the increase in malicious Server Message Block (SMB) traffic from the webcam to the impacted server, which otherwise may have alerted them. Akira was subsequently able to encrypt files across the victim's network, completing the ransomware attack's objectives.

Lessons Learnt

Researchers determined three major lessons that can be learnt from the incident. The first is making patching a priority.

To this extent, researchers stated,

Patch management strategies tend to focus on systems that are critical to business functions. This approach, while logical, often diverges from the perspective of a threat actor, who will take advantage of any weak link that can be exploited in order to reach those critical systems. As a result, devices that might initially seem inconsequential can become instrumental to a threat actor's success. IoT devices, for example, frequently escape rigorous security audits and retain default passwords and outdated software, offering threat actors potential pivot points in supposedly secure environments.

The second lesson is to consider that threats evolve to bypass security, just as security solutions do to stop attacks. Akira is an excellent example of this, transitioning from its original development in the programming language Rust to a newer version using C++. As ransomware-as-a-service (RaaS), it remains operable across both Windows and Linux systems, making it an exceptionally versatile threat.

The last lesson, and perhaps the most worrying, is threat actors are becoming more skilled at bypassing EDR. According to S-RM, some form of EDR was present in 40% of the attacks the security firm responded to. This was partly due to threat actors taking advantage of limited EDR coverage, a lack of active monitoring, or misconfiguration to bypass the tooling.

While EDR remains a critical security control, S-RM's data, and in this specific instance, the particular Akira ransomware attack chain, illustrates that detailed thought, considering as many variables as humanely possible, needs to be given to its implementation.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

New Removal Guides
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal

Top Removal Guides
Latest News
Blog