CISA Issues Warning: Akira Ransomware Exploiting Vulnerabilities in Cisco ASA/FTD.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about the Akira ransomware exploiting a security flaw in Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. The specific vulnerability in question is CVE-2020-3259, which has a CVSS score of 7.5 and is classified as a high-severity information disclosure issue. This flaw could allow an attacker to retrieve memory contents from an affected device. Cisco patched this vulnerability in May 2020, but evidence suggests that it has been weaponized by Akira ransomware actors to compromise susceptible Cisco AnyConnect SSL VPN appliances over the past year.

Akira is one of the 25 ransomware groups with newly established data leak sites in 2023. The group has publicly claimed nearly 200 victims and shares connections with the notorious Conti syndicate. In the fourth quarter of 2023 alone, Akira listed 49 victims on its data leak portal. Federal Civilian Executive Branch (FCEB) agencies are required to remediate identified vulnerabilities by March 7, 2024, to secure their networks against potential threats.

What is Akira Ransomware?

Akira ransomware is a new and sophisticated threat that has been targeting organizations in recent months. The ransomware encrypts files on the victim’s system and then demands a ransom payment in order to decrypt them.

Quick Highlights related to Akira Ransomware are as follows:

• First infection reported in 2017 by Karsten Hahn at Twitter.
• Targets both Windows-based and Linux-based systems.
• Utilizes Symmetric Encryption with CryptGenRandom() and Chacha 2008 for file encryption.
• Shares similarities with leaked Conti v2 ransomware according to Avast’s research.
• Avast released a decryptor for Akira Ransomware targeting 64-bit and 32-bit Windows-based systems.
• Leaked data offered via Torrents and Direct download links on the same Tor-based website.

How does Akira Ransomware work?

As mentioned above, the ransomware deletes the Windows Shadow Volume copies on the affected device. These files are instrumental in ensuring that organizations can back up data used in their applications for day-to-day functioning. VSS services facilitate communication between different components without the need to take them offline, thereby ensuring data is backed up while it is also available for other functions. Once the ransomware deletes the VSS files it proceeds to encrypt files with the pre-defined the “.akira” extension.

How does ransomware infect devices?

Ransomware is typically spread through spear phishing emails that contain malicious attachments in the form of archived content (zip/rar) files. Other methods used to infect devices include drive-by-download, a cyber-attack that unintentionally downloads malicious code onto a device, and specially crafted web links in emails, clicking on which downloads malicious code. The ransomware reportedly also spreads through insecure Remote Desktop connections.

Mitigation

• Actively patch popular vulnerabilities released as Ransomware affiliates tend to mass exploit for convenience and easy exploitation to gain initial foothold inside the network.
•  Block for commonly used extensions for delivering malware such as exe, pif, tmp, url, vb, vbe, scr, reg, cer, pst, cmd, com, bat, dll, dat, hlp, hta, js, wsf.
• Update the SIEM and SOAR with the below shared Threat Hunting rule for Akira Ransomware.
• Actively triage alerts for presence and usage of tools such as AnyDesk, WinRAR, and PCHunter which is commonly used during the process of archiving the data for exfiltration and remote backdoor connection.

Remember that prevention is crucial, but having a robust backup strategy and a well-prepared incident response plan are equally important. Stay vigilant and keep your systems protected!

You think you have a story worth everyone’s time? SUBMIT A STORY and we will publish it.