Specialists claim that attackers targeting the steel industry are increasingly using the Akira ransomware to breach corporate networks through Cisco VPNs. Akira was first deployed in March 2023 and has now been enhanced with Linux-shifor to target VMware ESXI virtual machines.
The attackers exploit already compromised Cisco VPN accounts, eliminating the need to install additional backdoors or maintain constant access mechanisms. Recent attacks in May revealed that hackers gained access to corporate networks using single-factor authentication, as highlighted in a report by Sophos.
According to cybersecurity researcher “Aura,” Cisco ASA lacks a logistics system that would enable the identification of methods used to hack accounts, such as password selection or purchases from dark markets.
Sentinelone WatchTower analysts point out that Akira exploits unknown vulnerabilities in the Cisco VPN software to bypass authentication systems. Additionally, the ransomware uses the Rustdesk algorithm to maneuver within compromised networks. Rustdesk is a legitimate remote access tool that operates on Windows, MacOS, and Linux platforms, offering encrypted P2P connections and file transfers.
Akira also employs other tactics, including SQL database manipulation, firewall shutdown, remote desktop activation (RDP), and disabling Windows Defender and LSA Protection mechanisms.
In response to the increasing number of attacks, Cisco has confirmed that its VPN products will support multi-factor authentication from different suppliers, adding an additional layer of protection to deter hackers.
In June 2023, Avast, an antivirus developer, introduced a free decryption tool for Akira-encrypted data. However, this tool is only effective against older strains of the ransomware, as the Akira developers have already made changes to their algorithms.