Cybersecurity professionals will doubtless draw upon the Akira ransomware assault as a key studying instance for years to return. The attackers encrypted a company’s computer systems by hacking a surveillance digital camera. Whereas counterintuitive at first look, the sequence of occasions follows a logic that may be simply utilized to a special group and completely different gadgets inside its infrastructure.
Anatomy of the assault
Attackers exploited a vulnerability in a public-facing software to penetrate the community and execute instructions on an contaminated host. Following the preliminary breach, they launched the favored distant entry instrument AnyDesk and initiated an RDP session with the group’s file server. Accessing the server, they tried to run ransomware, however the firm’s EDR system detected and quarantined it. Alas, this didn’t cease the attackers.
Unable to deploy the ransomware on servers or workstations, which have been protected by EDR, the attackers ran a LAN scan and located a community video digital camera. Regardless of repeated references to a “webcam” within the incident investigation report, we consider it wasn’t the built-in digital camera of a laptop computer or smartphone, however a standalone networked gadget for video surveillance.
There have been a number of explanation why the digital camera was a really perfect goal for the attackers:
- Resulting from its severely outdated firmware, the gadget was weak to distant exploitation, which granted attackers shell entry and the power to execute instructions.
- The digital camera ran a light-weight Linux construct able to executing commonplace binaries for this working system. Coincidentally, Akira’s arsenal contained a Linux-based encryption instrument.
- This specialised gadget lacked — and sure was incapable of supporting — an EDR agent or every other safety controls to detect malicious exercise.
The attackers have been capable of set up their malware on the digital camera, and used the gadget because the foothold for encrypting the group’s servers.
The right way to keep away from being subsequent sufferer
The IP digital camera incident vividly illustrates sure ideas of focused cyberattacks, and gives perception into efficient countermeasures. Right here’s a rating of the countermeasures, from the simplest to probably the most complicated:
- Restrict entry to specialised community gadgets and their permissions. A significant factor on this assault was the IP digital camera’s overly permissive entry to the file servers. These gadgets ought to reside inside an remoted subnet. If that’s not possible, they need to be given the fewest attainable permissions to speak with different computer systems. For instance, write-access ought to be restricted to a single folder on a single particular server the place video recordings are saved. And entry to the digital camera and this folder ought to be restricted to workstations used solely by safety and different approved personnel. Whereas implementing these restrictions could also be tougher for different specialised gadgets (akin to printers), it’s readily achievable with cameras.
- Deactivate non-essential companies and default accounts on good gadgets, and alter default passwords.
- Use an EDR answer throughout all servers, workstations, and different suitable gadgets. The chosen answer should be able to detecting anomalous server exercise, akin to distant encryption makes an attempt by way of SMB.
- Lengthen vulnerability and patch administration packages to incorporate all good gadgets and server software program. Begin by conducting an in depth stock of such gadgets.
- The place possible, implement monitoring, akin to telemetry forwarding to a SIEM system, even on specialised gadgets the place EDR deployment isn’t attainable: routers, firewalls, printers, video surveillance cameras, and related gadgets.
- Contemplate transition to XDR-class answer, which mixes community and host monitoring with anomaly-detection applied sciences, and instruments for handbook and computerized incident response.
