Security News > 2023 > August > Akira ransomware targets Cisco VPNs to breach organizations
There's mounting evidence that Akira ransomware targets Cisco VPN products as an attack vector to breach corporate networks, steal, and eventually encrypt data.
Akira ransomware is a relatively new ransomware operation launched in March 2023, with the group later adding a Linux encryptor to target VMware ESXi virtual machines.
Reportedly, Akira has been using compromised Cisco VPN accounts to breach corporate networks without needing to drop additional backdoors or set up persistence mechanisms that could give them away.
Akira targets Cisco VPNs. Sophos first noted Akira's abuse of VPN accounts in May, when researchers stated that the ransomware gang breached a network using "VPN access using Single Factor authentication."
An incident responder, known as 'Aura,' shared further information on Twitter on how they responded to multiple Akira incidents that were conducted using Cisco VPN accounts that weren't protected by multi-factor authentication.
A SentinelOne report shared privately with BleepingComputer and focusing on the same attack method presents the possibility of Akira exploiting an unknown vulnerability in Cisco VPN software that might be able to bypass authentication in the absence of MFA. SentinelOne found evidence of Akira using Cisco VPN gateways in leaked data posted on the group's extortion page and observed Cisco VPN-related traits in at least eight cases, indicating this is part of an ongoing attack strategy by the ransomware gang.
News URL
Related news
- Helldown ransomware exploits Zyxel VPN flaw to breach networks (source)
- LA housing authority confirms breach claimed by Cactus ransomware (source)
- VPN vulnerabilities, weak credentials fuel ransomware attacks (source)
- Bologna FC confirms data breach after RansomHub ransomware attack (source)
- BT unit took servers offline after Black Basta ransomware breach (source)
- Anna Jaques Hospital ransomware breach exposed data of 300K patients (source)
- Rhode Island confirms data breach after Brain Cipher ransomware attack (source)
- Krispy Kreme breach, data theft claimed by Play ransomware gang (source)