This nasty ransomware is targeting Cisco VPNs to attack businesses

(Image credit: Shutterstock / binarydesign)

Operators of Akira, a relatively new entrant to the ransomware scene, have been targeting businesses using Cisco’s VPN products. 

By logging into compromised accounts, Akira’s members were able to breach corporate endpoints, steal sensitive data, and ultimately deploy ransomware.

This is according to research made by multiple cybersecurity firms, although what these firms can’t know for sure, is how Akira obtained the login credentials for the VPN service.

Reader Offer: $50 Amazon gift card with demo

Reader Offer: $50 Amazon gift card with demo
Save 250+ yearly hours on manual configuration. Deploy your entire organization within a single day. Learn why Perimeter 81 is TechRadar's choice for the best Business VPN. Ditch legacy hardware and make the move to the cloud. See how simple it is for yourself.

 Preferred partner (What does this mean?

Brute-forcing their way in?

Sophos, for example first spotted Akira in May 2023, saying the group accessed target networks through "VPN access using Single Factor authentication." Another incident responder, going by the alias Aura, noted that Akira managed to compromise these accounts because they weren’t protected with multi-factor authentication (MFA). 

Because Cisco ASA doesn’t have any logging features, the researchers can’t know for sure. Some speculate Akira might have brute-forced its way into these accounts, too, while others are of the opinion that the access was bought from a third party on a dark web forum. Researchers from SentinelOne, however, think a zero-day might be at play here, as well. Apparently, the researchers believe the flaw affects accounts without MFA set up.

Cisco’s VPN offerings are among the most popular ones among business users, with numerous organizations using them to securely transmit data between users and networks. By some, the tools are considered a must for remote and hybrid workers. 

It is also worth mentioning that cybersecurity experts from Avast published a decryptor for Akira in late June this year, which can be downloaded for free. However, Akira has since responded and updated its encryptor. Thus, the decryption will only work on older varians and businesses should not be overly confident they can salvage their sensitive data in case of an attack.

Via: BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.