Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Akira Ransomware. Show all posts
Ransomwares
Akira Ransomware Cyber Security Cyber Threats LockBit Malware Attack malware prevention Malwares RansomHub Ransomwares

2024’s Most Dangerous Malware: A Wake-Up Call for Cybersecurity

 

OpenText, a leader in cybersecurity insights, has released its eagerly awaited “Nastiest Malware of 2024” list, highlighting some of the most destructive and adaptive cyber threats of the year. The list illustrates how ransomware and other malicious software continue to evolve, particularly regarding their impact on critical infrastructure. As cybercriminals refine their tactics, the need to strengthen cybersecurity measures has become increasingly urgent. Organizations around the globe are projected to boost their cybersecurity spending by 14.3% in 2024, raising total investments to over $215 billion, which reflects the magnitude of the challenges posed by these threats. 

LockBit claimed the title of the most dangerous malware of the year. This ransomware-as-a-service (RaaS) entity has demonstrated its ability to evade law enforcement efforts, including those from the FBI. Its ongoing attacks on critical infrastructure showcase its resilience and technical prowess. According to the FBI, LockBit was responsible for 175 reported attacks on essential systems in 2023 alone. The group’s bold ambition to target one million businesses emphasizes its threat level and solidifies its position in the ransomware landscape. 

Akira, a relatively new player, has rapidly gained infamy for its aggressive tactics. This ransomware has been particularly active in industries such as healthcare, manufacturing, and finance, using advanced encryption methods to cause significant disruption. Its retro-inspired branding contrasts sharply with its destructive potential, making it a popular choice among cybercriminal affiliates. 

Meanwhile, RansomHub, which may have connections to the infamous Black Cat (ALPHV) group, has made headlines with its high-profile attacks, including a daring strike on Planned Parenthood that compromised sensitive patient data. 

Other significant threats include Dark Angels, recognized for its precision-targeted attacks on Fortune 50 companies, and Play Ransomware, which takes advantage of vulnerabilities in FortiOS systems and RDP servers. Redline Stealer, while not technically ransomware, this type of threat significantly endangers organizations by focusing on stealing credentials and sensitive information. Each of these threats illustrates how cybercriminals are continually pushing the limits, employing advanced tactics to stay ahead of defenses. 

Muhi Majzoub, OpenText’s EVP and Chief Product Officer, notes that the increase in ransomware targeting critical infrastructure highlights the growing risks to national security and public safety. At the same time, the heightened emphasis on cybersecurity investments is a positive indication that organizations are recognizing these threats. However, the ability of ransomware groups to adapt remains a significant worry, as these criminals continue to leverage new technologies, including artificial intelligence, to create more sophisticated attacks. 

The findings from this year reveal a harsh truth: while progress in cybersecurity is being made, the rapid pace of innovation in malware development poses an ongoing challenge. As companies enhance their vigilance and dedicate more resources to protect vital systems, the battle against cyber threats is far from finished. The changing nature of these attacks requires ongoing adaptation, collaboration, and investment to protect the essential services that support modern society.
Read more »
SonicWall
Akira Ransomware Cyber Attacks MFA Ransomware SonicWall

Hackers Use SonicWall Security Flaw in Ransomware Attacks


 

In the latest ransomware attack, operators have started using a critical bug in SonicWall SonicOS firewall devices as an entry point for compromising business networks. The vulnerability, identified as CVE-2024-40766, is from the management access interface of the firewall and thus impacts all current devices spanning across Generation 5, Generation 6, and Generation 7. A patch was issued by SonicWall on August 22 to address the issue and asked its users to update their appliances. It later turned out that the same weakness also affects the SSLVPN feature of the devices, which has recently been exploited in the wild.

Arctic Wolf security researchers reported that operators of the Akira ransomware strain have been leveraging the bug for initial access to business networks. These appeared to be the types of attacks that involved compromised accounts, local to the affected devices and independent of centralised authentication systems such as Microsoft Active Directory. What's more, the affected accounts were noted to have MFA disabled, further compromising them. The affected breached devices were running firmware versions in the range vulnerable to CVE-2024-40766.

Apart from Arctic Wolf's discovery, the incidents of ransomware groups making their ways into SonicWall SSLVPN accounts were also reported by the security firm Rapid7. While the incidents being connected to the vulnerability CVE-2024-40766 are purely speculative, the company has underlined the need to take precautions.

Immediate Security Recommendations

The cybersecurity researchers at SonicWall, Arctic Wolf, and Rapid7 have strongly recommended that the administrators take to the immediate implementation of the latest SonicOS firmware updates. Specifically, SonicWall has advised customers to allow access to the Firewall management and SSLVPN features only from trusted sources and block it from the internet, if possible. It has also underlined the implementation of MFA for all SSLVPN users by leveraging the use of TOTP or email-based authentication.

Given the threat, this vulnerability has been added to the Known Exploited Vulnerabilities catalogue by the U.S. Cybersecurity and Infrastructure Security Agency, or CISA. Federal agencies were directed to patch their vulnerable SonicWall devices before September 30, according to Binding Operational Directive, or BOD 22-01. That is the gravity of this vulnerability and how urgently the organisations need to act.

SonicWall Devices Targeted in Previous Attacks

SonicWall devices have been routine targets in the past, due to which the hackers exploit security flaws and gain entry to the corporate networks. For instance, suspected Chinese hackers installed malware on SonicWall Secure Mobile Access (SMA) devices, which persists on firmware upgrades. The Ransomware groups-HelloKitty, FiveHands, and now Akira-keeps exploiting similar vulnerabilities in the SonicWall systems for attacks.

Given that SonicWall serves over 500,000 customers, including government agencies and major corporations worldwide, the pervasive nature of these vulnerabilities calls for timely patching and stout security practices. "The company has urged that all users of the affected products must apply the latest updates in order to protect their systems against future attacks.


Read more »
Threat actors
Akira Ransomware Cyber Attacks Data Exploit Ransomware Threat actors

Akira Ransomware: The Need for Rapid Response

Akira Ransomware: The Need for Rapid Response

Threat actors wielding the Akira ransomware demonstrated unprecedented efficiency in a recent cyber attack that sent shockwaves through the cybersecurity community. 

Their lightning-fast data exfiltration took just over two hours, representing a dramatic shift in the average time it takes a cybercriminal to go from first access to information exfiltration and leaving organizations scrambling to respond. Let’s delve into the details of this alarming incident.

Attack Overview

The victim in this case was a Latin American airline. The attackers exploited a vulnerability in their infrastructure, emphasizing the importance of robust security measures for critical industries. They gained entry through an unpatched Veeam backup server, leveraging the Secure Shell (SSH) protocol. Veeam servers are attractive targets due to their tendency to store sensitive data and credentials.

The BlackBerry Threat Research and Intelligence Team has revealed a summary of a June Akira ransomware assault against a Latin American airline. According to BlackBerry's anatomy of the attack, the threat actor acquired first access via an unpatched Veeam backup server and promptly began stealing data before installing the Akira ransomware the next day.

Swift Data Exfiltration

Within a remarkably short timeframe, the threat actors exfiltrated data from the Veeam backup folder. This included documents, images, and spreadsheets. The speed of their operation highlights the need for proactive security practices.

The Culprit: Storm-1567

Storm-1567, a notorious user of the Akira ransomware-as-a-service (RaaS) platform, is the likely perpetrator. Known for double-extortion tactics, Storm-1567 has targeted over 250 organizations globally since emerging in March 2023.

Technical Insights

1. Legitimate Tools and Utilities

The attackers demonstrated technical prowess by using legitimate tools and utilities during the attack. These tools allowed them to:

  • Conduct reconnaissance to identify valuable data.
  • Establish persistence within the compromised network.
  • Efficiently exfiltrate sensitive information.
2. Escalation from Initial Access to Data Theft

Storm-1567’s ability to escalate from initial access to data theft in such a short span underscores their expertise. Organizations must prioritize timely patching and secure backup systems to prevent similar incidents.

Key Takeaways

Patch Promptly 

Regularly update and patch all software, especially critical components like backup servers. Vulnerabilities left unaddressed can lead to devastating consequences.

Backup Security Matters

Secure backup systems are essential. They often contain critical data and serve as gateways for attackers. Implement access controls, monitor for suspicious activity, and encrypt backups.

Threat Intelligence and Vigilance

Stay informed about emerging threats and threat actors. Vigilance and proactive defense are crucial in the ever-evolving landscape of cyber threats.


Read more »
USA
Akira Ransomware Canada cyber attack Cyber Attacks Ransomware ransomware attacks USA

Akira Ransomware Unleashes Cyber Storm: Targets North American Companies

In the continually changing realm of cyber threats, organizations find themselves urgently needing to strengthen their cybersecurity measures to combat the increasing complexity of ransomware attacks. The focus is on Akira, a recently discovered ransomware family, highlighting a group of cyber adversaries armed with advanced tactics and led by highly skilled individuals. 

In a recent analysis of blockchain and source code data, the Akira ransomware has surged to prominence, rapidly establishing itself as one of the fastest-growing threats in the cyber landscape. This surge is attributed to its adept utilization of double extortion tactics, adoption of a ransomware-as-a-service (RaaS) distribution model, and the implementation of unique payment options. 

Who are the Targets? 

The Akira ransomware made its debut in March 2023, and its sights are set on companies in the United States and Canada. But what is really catching attention is its unique Tor leak site, which, as per Sophos' report, brings back vibes of "1980s green-screen consoles." Users need to type specific commands to navigate through this throwback-style interface. 

What is even more intriguing is that, despite sharing the same .akira file extension for encrypted files, the new Akira is nothing like its 2017 counterpart when it comes to the code under the hood. This twist highlights the ever-evolving nature of cyber threats, where old names come back with a new style and a fresh set of tricks. 

The Akira encryptor 

The Akira ransomware was found by MalwareHunterTeam, and they shared a part of it with BleepingComputer. When it starts working, Akira does something serious – it deletes Windows Shadow Volume Copies on the device. It uses a special command to do this: 

powershell.exe -Command "Get-WmiObject Win32_Shadowcopy | Remove-WmiObject" 
 
Furthermore, linkages between the Akira ransomware group and the now-defunct Conti ransomware gang have come to light, indicating a potential affiliation. Conti, renowned as one of the most notorious ransomware families in recent history, is believed to have evolved from the highly targeted Ryuk ransomware, marking a lineage of prolific cyber threats. The intricate connections between these ransomware entities underscore the evolving nature of cyber threats and the persistence of criminal organizations in adapting and expanding their malicious operations.
Read more »
US Energy Service
Akira Ransomware BHI Energy Data Breach Personal Data Breach Ransomware attack US Energy Service

US Energy Service Shared Details on How Akira Ransomware Hacked its Network


US energy service firm BHI Energy recently shared how it compromised its network and data in a ransomware campaign conducted by the Akira ransomware.  

BHI Energy, a division of Westinghouse Electric Company, provides specialized engineering services and workforce solutions to support government and private-run power generation facilities, including nuclear, wind, solar, and fossil fuel units and transmission and distribution lines for energy. 

The company has sent a data breach notification to affected individuals, where it has provided details on how the ransomware gang (Akira) breached its network on May 30, 2023.  

The Akira threat actor initiated the attack by utilizing the compromised VPN credentials of a third-party contractor to gain entry to BGI Energy's internal network. 

"Using that third-party contractor's account, the TA (threat actor) reached the internal BHI network through a VPN connection[…]In the week following initial access, the TA used the same compromised account to perform reconnaissance of the internal network," the breach notification read.  

On June 16, 2023, the Akira operators checked the network again to see how much data had been taken. The threat actors took 690 GB of data, including the Windows Active Directory database of BHI, in 767k files between June 20 and June 29.

After obtaining the data from BHI's network, the threat actors deployed the Akira ransomware on every targeted system to encrypt files on June 29, 2023. At this point, the IT staff at BHI were aware that the business had been compromised. 

The data obtained by the ransomware group involved the personal information of the victim. In an investigation held on September 1, 2023, it was revealed that the stolen data included: 

  • Full name 
  • Date of birth 
  • Social Security Number (SSN) 
  • Health information
The firm confirms that in order to assist them in recovering the affected systems, they got in touch with external experts and informed law enforcement about the breach. On July 7, 2023, the threat actor's access to BHI's network was eliminated. 

The firm claims that it was able to restore its systems without having to pay a ransom because it was able to retrieve data from a cloud backup solution that was unaffected by the ransomware attack.

Moreover, by implementing multi-factor authentication for VPN access, resetting all passwords globally, expanding the deployment of EDR and AV technologies to cover every area of its environment, and decommissioning legacy systems, BHI strengthened its security protocols even further.  

Read more »
Vulnerabilities and Exploits
Akira Ransomware Cisco COTS Cyberattacks CyberCrime Data Loss LSASS Malicious Attacks MFA Ransomware VPN Vulnerabilities and Exploits

Akira Ransomware Unleashes a New Wave of Attacks via Compromised Cisco VPNs

 


The Cisco Network Security Division is aware of reports suggesting that malicious individuals are infiltrating organizations through Cisco VPNs that are not configured for multi-factor authentication with the Akira ransomware threat. In some instances, threat actors are targeting organizations that do not configure multi-factor authentication for their VPN users. Some instances have been observed where threat actors are targeting organizations that are not doing so. 

It has been verified by several cybersecurity firms that Cisco VPN products are being targeted with ransomware, and there are reports that the perpetrators are members of a relatively new gang known as Akira who have perpetrated the attack. 

Typically, this ransomware campaign is targeted at corporate entities to gain sensitive information about them and make money through charging ransoms as a means of obtaining this sensitive information. All members of Akira have to do to access their accounts is to log in to the VPN service by using their Akira account details. 

As part of Cisco's investigation of similar attack tactics, the company has actively collaborated with Rapid7. Thanks to Rapid7 for providing Cisco with a valuable collaboration over the last few months. To provide secure, encrypted data transmission between users and corporate networks, Cisco VPN solutions are widely adopted across a wide range of industries, primarily by employees who work remotely and rely on these solutions to do so. 

The Akira Ransomware Attack 


As of March 2023, there have been multiple instances of the Akira ransomware. To attack VMware ESXi servers, the group developed an encryptor for Linux that, like many other ransomware gangs, targets this server type.

If the ransom demands are not met, the threat actors responsible for the Akira ransomware will employ a variety of extortion strategies and they will run a website using the Tor network (with an IP address ending in .onion) that lists victims and the information they have stolen from them. To begin negotiations, victims are instructed to contact the attackers via a TOR-based website, through a unique identifier provided in the ransom message, that can be used to contact them. 

It was first discovered by Sophos researchers in May that the ransomware gang was abusing VPN accounts to breach a network with the use of "VPN access using Single Factor authentication." A person known as 'Aura', who responded to multiple Akira attacks as part of the Akira operation, shared on Twitter further information about how he and other incident responders dealt with incidents that were carried out using Cisco VPN accounts that were not protected by multi-factor authentication. 

Akira is a malicious program that targets not only corporations but also educational institutions, real estate, healthcare, manufacturing, as well as the financial sector. As part of its encryption capabilities, the Linux versions of Akira ransomware make use of the Crypto++ library to enable the encryption process on the target device. Akira offers only a limited number of commands, but there are no options to shut down VMs before encrypting them using Akira. 

With the -n parameter of the command, there is still the possibility of the attacker modifying the encryption speed and the chance that the victim's data can be recovered. Consequently, if the encryption speed is high, there is a slim chance that the victim who is hiding the data will be able to recover it with the help of a decryption tool. 

The first indication of Akira's activities was picked up by a cybersecurity firm based in the US in March 2023, called Arctic Wolf. Their research shows that small and medium-sized businesses worldwide have been the main target of attackers and that they have paid particular attention to the US and Canada in particular. Akira, as well as Conti's operators, have also been linked between the researchers. 

There was a recent report from the SentinelOne WatchTower, shared privately with BleepingComputer, that looked at the same attack method and speculated that Akira may have exploited a newly discovered vulnerability in Cisco VPN software that may be able to bypass authentication in the absence of the multi-factor authentication mechanism. 

In leaked data posted on the Akira group's extortion page, SentinelOne found evidence that the ransomware group used Cisco VPN gateways. At least eight instances were observed that displayed Cisco VPN-related characteristics, which shows that the ransomware gang is continuing to use Cisco VPN gateways as part of their ongoing extortion scheme. 

Implementing VPNs Without MFA


As a general rule, when an attacker tries to target VPNs or any other type of network services or applications, the first stage of their attack is to exploit an exposed service or application. In many cases, attackers focus on the fact that there is no multi-factor authentication (MFA) or there is a known vulnerability in VPN software in the form of software that has multi-factor authentication. 

Once the attackers have gained access to a target network, they attempt to breach the network using LSASS dumps (Local Security Authority Subsystem Service) to obtain credentials that will enable them to move further within the network and raise privileges if necessary. 

There have also been reports that this group has been using other tools, such as Living-Off-The-Land Binaries (LOLBins) or Commercial Off-The-Shelf (COTS) tools, or creating minidump files, to gather further intelligence about or pivot within the target network, as well as using other tools commonly referred to as Living-Off-The-Land Binaries (LOLBins) or Commercial Off-The-Shelf tools (COTS). 

Moreover, SentinelOne researchers observed that Akira operators maintained access to compromised networks by using the legitimate open-source remote access tool RustDesk which works similarly to RustDesk. It has been announced that cybersecurity company Avast has released a free decryptor that can be used by victims of the Akira ransomware to restore their valuable data without having to pay a ransom.

It was decided by the threat actors to encrypt their encryptors by patching them. By doing so, they would prevent victims from using them to recover data that was encrypted by the newer version of the encryption. Business users prefer Cisco VPN products due to their reliability and ease of use. 

Data transmission between networks/users can be made more secure with this technique, which is relied upon by organizations. Those who work in a hybrid or remote environment are expected to comply with it as a matter of course. That is why there might be a desire on the part of threat actors to exploit the vulnerability. Data loss and computer extortion attempts from ransomware operators can be prevented by organizations remaining vigilant and ensuring foolproof digital security measures.
Read more »
Subscribe to: Posts (Atom)