CISA updates advisory on Akira ransomware with new attack details

Cybersecurity and Infrastructure Security Agency (CISA), together with federal and international collaborators, issued an updated advisory addressing vulnerabilities related to Akira ransomware, emphasizing new attack methods and risks to various organizational sectors.

The advisory references specific CVEs related to vulnerabilities in edge devices and backup servers exploited via authentication bypass, Cross-Site Scripting (XSS), buffer overflow, and brute-force credential attacks. It identifies compromised functions including remote management tools Anydesk and LogMeIn, exploitation of Veeam and BYOVD driver vulnerabilities through POORTRY malware, and the use of protocols like Remote Desktop Protocol (RDP) and Secure Shell (SSH). Threat actors deploy Ngrok for encrypted command-and-control channels and employ SystemBC and STONETOP malware alongside a newly identified Akira_v2 ransomware variant with accelerated encryption capabilities.

Consequences outlined include unauthorized network discovery, firewall modification, antivirus and Endpoint Detection And Response (EDR) process termination, domain account creation, data exfiltration via File Transfer Protocol (FTP), SSH File Transfer Protocol (SFTP), and cloud services, and disruptions to system recovery processes caused by the enhanced ransomware variant.

The advisory confirms the availability of patches for known vulnerabilities, specifically targeting Virtual Private Network (VPN) and backup server flaws. It highlights the critical role of Multifactor Authentication (MFA) for remote access mitigation and recommends monitoring for atypical network and account activities supported by deployment of EDR technologies.

The guidance confines itself to urging implementation of existing patches and security controls as specified, without introducing additional defensive measures beyond those stated.