Pierluigi Paganini
January 13, 2024
The Finish National Cybersecurity Center (NCSC-FI) reported an increase in Akira ransomware attacks, targeting organizations in the country. Threat actors are wiping NAS and backup devices.
Akira ransomware infections were first reported in Finland in June 2023, however, in December the number of attacks increased. According to the NCSC-FI, six out of seven infections were caused by Akira family malware.
“Of these, three were found to be activated during the longer vacations of the Christmas season. In addition, during Christmas, there was one incident caused by another ransomware malware family.” reads the NCSC-FI’s alert. “In all cases, careful efforts have been made to destroy the backups, and the attacker will find it difficult to do this. NAS (Network-Attached Storage) servers that are often used for backups on the network have been hacked and wiped, as have automatic tape backup devices, and in almost every case we know of, all backups have been lost. We talked about NAS devices and ransomware in the weekly review 37/2022.”
The ransomware attack reported in late 2023, targeted organizations’ networks using poorly secured VPN gateway on Cisco ASA or FTD devices. The attackers exploited the vulnerability CVE-2023-20269 in Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD). An unauthenticated, remote attacker can exploit the vulnerability to conduct a brute force attack in an attempt to identify valid username and password combinations or an authenticated, remote attacker to establish a clientless SSL VPN session with an unauthorized user.
In September 2023, CISCO explained that the zero-day vulnerability was exploited by ransomware groups, such as the Akira ransomware gang, to target organizations.
At the end of August 2023, Cisco revealed that it was aware of attacks conducted by Akira ransomware threat actors targeting Cisco ASA VPNs that are not configured for multi-factor authentication.
Cisco investigated the hacking campaign with the help of Rapid7. Rapid7 researchers, they noticed that threat activity targeting Cisco ASA SSL VPN appliances dates back to at least March 2023.
The Finish researchers pointed out that the attack cannot bypass multi-step authentication. They also explained that organizations can protect against the destruction of backups taking offline backups.
The Akira ransomware has been active since March 2023, the threat actors behind the malware claim to have already hacked multiple organizations in multiple industries, including education, finance, and real estate. Like other ransomware gangs, the group has developed a Linux encryptor to target VMware ESXi servers.
“For the most important backups, it would be advisable to follow the 3-2-1 rule. That is, keep at least three backups in two different locations and keep one of these copies completely off the network.” concludes the alert.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Akira ransomware)
