Threat actors wielding the Akira ransomware demonstrated unprecedented efficiency in a recent cyber attack that sent shockwaves through the cybersecurity community.
Their lightning-fast data exfiltration took just over two hours, representing a dramatic shift in the average time it takes a cybercriminal to go from first access to information exfiltration and leaving organizations scrambling to respond. Let’s delve into the details of this alarming incident.
Attack Overview
The victim in this case was a Latin American airline. The attackers exploited a vulnerability in their infrastructure, emphasizing the importance of robust security measures for critical industries. They gained entry through an unpatched Veeam backup server, leveraging the Secure Shell (SSH) protocol. Veeam servers are attractive targets due to their tendency to store sensitive data and credentials.
The BlackBerry Threat Research and Intelligence Team has revealed a summary of a June Akira ransomware assault against a Latin American airline. According to BlackBerry's anatomy of the attack, the threat actor acquired first access via an unpatched Veeam backup server and promptly began stealing data before installing the Akira ransomware the next day.
Swift Data Exfiltration
Within a remarkably short timeframe, the threat actors exfiltrated data from the Veeam backup folder. This included documents, images, and spreadsheets. The speed of their operation highlights the need for proactive security practices.
The Culprit: Storm-1567
Storm-1567, a notorious user of the Akira ransomware-as-a-service (RaaS) platform, is the likely perpetrator. Known for double-extortion tactics, Storm-1567 has targeted over 250 organizations globally since emerging in March 2023.
Technical Insights
1. Legitimate Tools and Utilities
The attackers demonstrated technical prowess by using legitimate tools and utilities during the attack. These tools allowed them to:
- Conduct reconnaissance to identify valuable data.
- Establish persistence within the compromised network.
- Efficiently exfiltrate sensitive information.
Storm-1567’s ability to escalate from initial access to data theft in such a short span underscores their expertise. Organizations must prioritize timely patching and secure backup systems to prevent similar incidents.
Key Takeaways
Patch Promptly
Regularly update and patch all software, especially critical components like backup servers. Vulnerabilities left unaddressed can lead to devastating consequences.
Backup Security Matters
Secure backup systems are essential. They often contain critical data and serve as gateways for attackers. Implement access controls, monitor for suspicious activity, and encrypt backups.
Threat Intelligence and Vigilance
Stay informed about emerging threats and threat actors. Vigilance and proactive defense are crucial in the ever-evolving landscape of cyber threats.
