A sophisticated ransomware group called Akira has been responsible for approximately 15% of cybersecurity incidents in 2024.
The threat actor has deployed novel techniques to bypass security defenses, most notably by exploiting unsecured webcams to circumvent Endpoint Detection and Response (EDR) tools when deploying ransomware across corporate networks.
This innovative attack vector demonstrates the evolving tactics of cybercriminals who continuously adapt to overcome security measures deployed by organizations.
.png
)
In a recent incident, S-RM’s team responded to an Akira ransomware attack where the threat actors initially followed their typical playbook.
After compromising the victim’s network through an externally facing remote access solution, they deployed AnyDesk.exe to maintain persistent access before exfiltrating sensitive data.
The attackers then moved laterally through the network using Remote Desktop Protocol (RDP), which allowed them to blend in with legitimate system administrator activities, making detection more challenging for security teams.
The attackers attempted to deploy their ransomware payload by uploading a password-protected zip file named ‘win.zip’ containing the malicious executable ‘win.exe’ to a Windows server.
However, this initial attempt was prevented when the organization’s EDR solution identified and automatically quarantined the suspicious file before it could be extracted and executed. This detection prompted the threat actors to pivot their approach rather than abandon the operation.
Following the failed deployment attempt, the attackers leveraged results from a previously conducted internal network scan that had identified Internet of Things (IoT) devices on the victim’s network, including webcams and a fingerprint scanner.
S-RM’s team researchers noted that these devices presented an opportunity for the attackers to bypass traditional security controls and continue their malicious campaign.
Webcam Exploitation Technique
The threat actors identified a vulnerable webcam as an ideal pivot point for several technical reasons.
The device had critical security vulnerabilities including remote shell capabilities, ran a lightweight Linux operating system compatible with command execution similar to standard Linux devices, and crucially, lacked any EDR protection due to its limited storage capacity.
.webp)
After compromising the webcam, the attackers used it to generate malicious Server Message Block (SMB) traffic directed at the targeted Windows server.
This traffic went undetected by the organization’s security monitoring systems, allowing the threat actors to successfully encrypt files across the victim’s network.
The SMB protocol, while less efficient than other methods, proved effective when deployed from devices incompatible with security monitoring tools.
The ransomware binary used in this attack was identified with the SHA-1 hash ac9952bcfcecab for the Linux variant, while the Windows variant had a hash of 3920f3c6368651.
Security experts recommend implementing network segmentation for IoT devices, performing regular internal network audits, maintaining strict patch management practices for all connected devices, changing default passwords on IoT equipment, and powering off such devices when not in use to mitigate this emerging threat vector.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
