Akira ransomware slips past IT protection solution via webcam

Security researchers from S-RM sensitize network admins to the loopholes that attackers can use to penetrate networks that are actually protected. In their current example, the Akira ransomware nevertheless gained access to computers and encrypted data after a failure.

Failure

In a report, they explain how the attackers proceeded. Initially, the cyber criminals proceeded according to the usual pattern and gained network access via an externally visible remote access port.

They then spread to a server via the Remote Desktop Protocol (RDP). From there, they wanted to unleash their blackmail Trojan, but the endpoint detection and response (EDR) solution struck and sent the malware into quarantine before it could be executed. The attack was successfully thwarted.

Second attempt

Before the criminals tried to activate their Trojan, they scanned the network and discovered a webcam. Because, according to the researchers, the device's software had several critical security vulnerabilities and it was not monitored by the EDR software, they used it to launch another attack attempt.

This was successful for the reasons mentioned and the Akira ransomware infected PCs. To do this, they used the webcam's Linux system to distribute the malicious code via SMB data traffic.

The problem is that such IoT devices often have security vulnerabilities, some of which are never patched. In addition, a webcam is often overlooked when setting up IT security concepts and can therefore serve as a springboard for attackers.

Accordingly, security researchers recommend dividing networks into segments so that isolated areas with IoT devices are created. It also makes sense to monitor the traffic of such devices in order to be able to react to inconsistencies. Security updates, if available, are of course mandatory.

(des)