Security News > 2023 > August > Akira ransomware targets Cisco VPNs to breach organizations

There's mounting evidence that Akira ransomware targets Cisco VPN products as an attack vector to breach corporate networks, steal, and eventually encrypt data.

Akira ransomware is a relatively new ransomware operation launched in March 2023, with the group later adding a Linux encryptor to target VMware ESXi virtual machines.

Reportedly, Akira has been using compromised Cisco VPN accounts to breach corporate networks without needing to drop additional backdoors or set up persistence mechanisms that could give them away.

Akira targets Cisco VPNs. Sophos first noted Akira's abuse of VPN accounts in May, when researchers stated that the ransomware gang breached a network using "VPN access using Single Factor authentication."

An incident responder, known as 'Aura,' shared further information on Twitter on how they responded to multiple Akira incidents that were conducted using Cisco VPN accounts that weren't protected by multi-factor authentication.

A SentinelOne report shared privately with BleepingComputer and focusing on the same attack method presents the possibility of Akira exploiting an unknown vulnerability in Cisco VPN software that might be able to bypass authentication in the absence of MFA. SentinelOne found evidence of Akira using Cisco VPN gateways in leaked data posted on the group's extortion page and observed Cisco VPN-related traits in at least eight cases, indicating this is part of an ongoing attack strategy by the ransomware gang.

News URL

https://www.bleepingcomputer.com/news/security/akira-ransomware-targets-cisco-vpns-to-breach-organizations/