The Akira ransomware group recently made headlines for exploiting a new privilege escalation technique, which involved infiltrating a victim’s virtual environment to steal the NTDS.dit file. This critical file contained domain user accounts and passwords stored on domain controllers, providing the attackers with escalated privileges within the network.
This incident, which occurred in the context of Akira’s cyber threat actor activities since March 2023, targeted small and medium-sized enterprises (SMEs) globally. The group typically infiltrates networks by exploiting weak VPNs, such as compromised credentials or vulnerabilities. In one case, they breached an agricultural company through an unpatched single-factor VPN.
Once inside the victim’s network, the Akira group leveraged a remote code execution vulnerability (CVE-2021-21972) in the VMware vCenter server. By uploading a malicious file and implanting a reverse shell, they gained full remote access to the system. This access allowed them to create a stealthy environment for launching further attacks within the compromised network.
One of the key tactics used by Akira was targeting the Active Directory database (NTDS.dit) on a domain controller to steal credentials and gain lateral movement within the network. By shutting down the controller’s VM, copying the VMDK files to another VM, and extracting the necessary files, they were able to escalate privileges to a domain administrator account and compromise additional systems within a remarkably short time frame of just 6 hours.
According to findings from S-RM, a cybersecurity firm involved in the investigation, Akira deployed ransomware on the target network by exploiting legacy infrastructure. In this case, the attackers used a legitimate backup client process, beremote.exe, to deliver the ransomware binary to servers. This method was particularly effective as the backup client was a trusted process already integrated into the system’s environment, allowing the attacker to bypass security defenses.
In addition to exploiting vulnerabilities and targeting weaknesses in multi-factor authentication, Akira ransomware employs advanced techniques similar to the China-backed UTA0178 group to bypass security measures and move laterally within a network.
To protect against such attacks, organizations are advised to implement a robust patch management system, enforce multi-factor authentication, and conduct regular security assessments. These proactive measures can help prevent attackers from gaining a foothold and rapidly spreading through a network.
In conclusion, the Akira ransomware group’s recent exploits highlight the importance of implementing strong cybersecurity measures to defend against evolving threats. By staying vigilant and addressing vulnerabilities promptly, organizations can reduce the risk of falling victim to sophisticated cyber attacks like those carried out by Akira and other threat actors.