The Akira ransomware has been active since March 2023, the threat actors behind the malware claim to have already hacked multiple organizations in multiple industries, including education, finance, and real estate. Like other ransomware gangs, the group has developed a Linux encryptor to target VMware ESXi servers.
The group now is targeting Cisco VPN products to gain initial access to corporate networks.
Sophos researchers observed in May the threat actor using compromised Cisco VPN accounts to breach target networks.
Bleeping Computer reported that information shared by the incident responder that goes as ‘Aura’ on Twitter. Aura confirmed that threat actors targeted organizations using CISCO VPN appliances without MFA enabled.
BleepingComputer also reported that SentinelOne is investigating the possibility that the Akira ransomware group is exploiting an unknown vulnerability in the Cisco VPN software. The experts speculate that this issue might allow threat actors to bypass authentication in the absence of MFA and that the group launched an ongoing campaign against Cisco VPN appliances.
SentinelOne researchers also observed Akira operators using the legitimate RustDesk open-source remote access tool to maintain access to compromised networks.
In June, cybersecurity firm Avast released a free decryptor for the Akira ransomware that can allow victims to recover their data without paying the ransom.
The threat actors responded by patching their encryptors, making it impossible for victims use them to recover data encrypted by newer versions.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Akira ransomware)
Google addressed a Chrome's Password Manager bug that caused user credentials to disappear temporarily for…
The Internet Systems Consortium (ISC) released BIND security updates that fixed several remotely exploitable DoS…
Terrorist groups are increasingly using cyberspace and digital communication channels to plan and execute attacks.…
Progress Software addressed a critical remote code execution vulnerability, tracked as CVE-2024-6327, in the Telerik Report…
A critical flaw in some versions of Docker Engine can be exploited to bypass authorization…
The CVE-2024-21412 flaw in the Microsoft Defender SmartScreen has been exploited to deliver information stealers…
This website uses cookies.