Akira Ransomware Makes a Play for VPNs Without Multi-Factor Authentication

In Q4 2023, Kroll identified an uptick in engagements involving Akira ransomware, a trend that has continued into 2024. Kroll observed that in the majority of cases, initial activity could be tracked back to a Cisco ASA VPN service.

Based on a review of cases, it is likely that this activity reflected previous reporting that affiliates distributing Akira were targeting VPNs that did not enforce multi-factor authentication and exploiting vulnerabilities in Cisco ASA and Firepower Threat Defense (FTD) services (CVE-2023-20263 and CVE-2020-3259).

First published on September 6, 2023, CVE-2023-20269 allows unauthenticated users to run a brute-force attack to identify valid credentials and establish a clientless SSL VPN session. At the time of publication, Cisco indicated that it was aware of the Akira ransomware group targeting the zero-day vulnerability in August 2023 by compromising organizations via Cisco VPNs that lacked multi-factor authentication.

This vulnerability stems from improper separation of authentication, authorization and accounting (AAA) between the remote access VPN feature and HTTPS management and site-to-site VPN features. The misconfiguration allows attackers to exploit the vulnerability by specifying a default connection profile/tunnel group, enabling brute-force attacks or the establishment of a clientless SSL VPN session using valid credentials.

In February 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added another Cisco vulnerability, CVE-2020-3259, to its catalog of known exploited vulnerabilities, following reports of its use for initial access by Akira. This CVE, if exploited, allows for an unauthenticated, remote attacker to retrieve memory contents of an affected device, thus disclosing confidential information such as credentials used to remotely log into the VPN. A patch was made available in 2020 to mitigate against this threat.

Cases observed by Kroll highlighted a similar fact pattern of intrusion activity once access occurred. This included persistence via remote management monitoring tools such as AnyDesk, the other internal network discovery via tools such as Advanced IP Scanner and Netscan to obtain Active Directory information. During this time, the actor used WinSCP for exfiltration and WinRar for compression. The actors leveraged Remote Desktop Protocol (RDP) or remote services creation to laterally move across systems and escalated privileges into a domain admin level account within two days of network access. Shortly after privilege escalation, Akira ransomware was deployed to encrypt systems.

Detecting Akira Ransomware

While the best course of action to prevent the current wave of Akira activity is to patch for the known VPN vulnerabilities, parsing out the timeline of events once the threat actor accesses the network identifies places where organization may be able to detect on and deters this activity before it leads to network encryption. A multi-layered defense in depth strategy is key to helping organizations maintain cyber resilience.

Initial access attempts leveraging external remote services may be detected earlier by maximizing log visibility for edge devices:

• Utilize network logs from technologies like RDP to enhance detection capabilities.
• Gather logs from edge networking technologies, firewalls, IDS/IPS, RDP, SSH and VPN.
• Implement centralized log management for streamlined analysis.
• Establish correlation rules to identify patterns indicative of suspicious activities.
• Monitor for multiple failed log-in attempts and brute-force attacks on edge devices.
• Regularly review and update logging configurations for relevance

For attackers that are not identified at access, Kroll typically sees the first stage of the intrusion focus on internal scouting. In this phase, they conduct reconnaissance within the network to identify and enumerate systems to help launch their attack. In the recently observed Akira campaign, threat actors leveraged legitimate tools such as AnyDesk and Netscan to help with network discovery. In this scenario, application whitelisting could help with detection:

• Alert on internal network discovery, especially for suspicious activities like dropping the Netscan binary.
• Be cautious of false positives, especially in areas with higher alerts, such as RDP and domain admin usage.
• Implement application whitelisting to control the execution of legitimate applications.
• Tighten controls on legitimate applications like AnyDesk, WinSCP and WinRar to prevent misuse.
• Use whitelisting to restrict the introduction of unauthorized binaries onto endpoints.

Once actors have gained a foothold into systems and conducted internal scouting, a next step is likely to be lateral movement. Kroll observes many ransomware actors leveraging RDP for such movement within the network, typically with a goal of escalating privileges into an account with domain administrator level privileges. Kroll recommends the following to detect such activity inside the network: 

• Monitor and alert on RDP usage, considering it as a potential source of network logs for detection.
• Flag the use of domain admin privileges, treating it as a critical security incident.
• Implement the principle of least privilege and break glass accounts to restrict and monitor high-level access.
• Consider disabling RDP or significantly limiting its use, especially if not essential for day-to-day activities.
• Scrutinize network traffic, especially the use of RDP, SSH and DNS, for potential threats.

The hands-on-keyboard objectives of threat actors like the Akira ransomware gang are focused on data theft and data encryption, which can be leveraged against the victim for financial extortion. Kroll has previously provided guidance on detecting exfiltration and recommends that organizations utilize endpoint monitoring tools such as EDR and next-gen antivirus for effective detection and deterrence.

Defending Against Akira: Key Steps

The similarities between ransomware variants provide opportunities for defenders to protect themselves against a number of different attackers by setting up overarching rules capable of detecting and defeating this type of activity. To defend against ransomware such as Akira, Kroll’s Cyber Threat Intelligence (CTI) team advise organizations to take the following next steps:

• Enforce MFA for VPN access - Phishing-resistant MFA such as FIDO is essential to prevent phishing attacks. FIDO security keys or authenticators are the only devices that are effective at preventing phishing attacks.
• Prioritize patching for vulnerabilities impacting VPN appliances.
• Enable risk profiling or conditional access policies for remote access. This can deny access to a user attempting to log in under suspicious circumstances, and it can also be configured to only allow limited access if the user's authentication context has elevated risk criteria.
• Enable role-based access control to enforce the principle of least privilege; only users requiring remote access to a resource should have it. Regularly audit access control policies to ensure only required access is provisioned.
• Ensure user accounts are not vulnerable to credential stuffing and password spraying by enforcing a banned password policy. The policy should ban passwords that are known to be weak or that contain company or organizational words or passwords that have been discovered in previous breaches.
• Undertake regular attack simulations to detect weaknesses in edge appliances and validate security controls and detection capabilities.