This post was originally shared on the S-RM blog SRMinform, copy and pasted here without permission

https://www.s-rminform.com/latest-thinking/camera-off-akira-deploys-ransomware-via-webcam

While the S-RM team encountered more threat actors than ever before last year, one group was responsible for more incidents than any other. Akira, a well-established ransomware group, accounted for 15% of the incidents we responded to in 2024, and deployed some novel techniques for evading cyber defences along the way. In this article, our team details how Akira was able to compromise an unsecured webcam in order to circumvent an Endpoint Detection and Response (EDR) tool and deploy ransomware.

The S-RM team recently responded to an Akira ransomware incident in which the victim organisation had deployed EDR to hosts on their network. The EDR tool identified and quarantined the ransomware binary, which inhibited Akira’s ability to deploy the malicious code across the victim’s environment. Not to be deterred, the threat actor then conducted a network scan and identified an unsecured webcam on the same network. Akira was able to compromise this device and deploy ransomware from it, ultimately circumventing the EDR tool.

Akira ransomware IoT attack chain

Attack chain in detail

The usual playbook

Until the webcam compromise, this incident had followed Akira’s typical modus operandi. After compromising the victim’s network via an externally facing remote access solution, the group deployed AnyDesk.exe, a remote management and monitoring tool, to retain access to the network, before exfiltrating data.

During the latter stages of the attack, the attacker moved to a server on the victim’s network via remote desktop protocol (RDP). Akira commonly uses RDP as it enables them to interact with endpoints and blend in with system administrators, who use RDP legitimately. The threat actor initially attempted to deploy the ransomware on one of the Windows servers as a password-protected zip file (‘win.zip’) that contained the ransomware binary (‘win.exe’). However, the victim’s EDR tool immediately identified and quarantined the compressed file before it was unzipped and deployed.

At this point, the threat actor likely realised they had alerted the EDR tool and would not be able to evade its defences. They therefore pivoted their approach. Prior to the ransomware deployment attempt to this Windows server, the attacker had conducted an internal network scan to identify open ports, services, and devices. This network scan identified several Internet of Things (‘IoT’) devices on the victim’s network, including webcams and a fingerprint scanner. These devices presented an opportunity to the threat actor to evade the EDR tool and deploy the ransomware successfully.

Pivoting to a webcam

The threat actor likely identified a webcam as a suitable target device for deploying ransomware for three reasons:

1. The webcam had several critical vulnerabilities, including remote shell capabilities and unauthorised remote viewing of the camera.
2. It was running a lightweight Linux operating system that supported command execution as if it were a standard Linux device, making the device a perfect candidate for Akira’s Linux ransomware variant.
3. The device did not have any EDR tools installed on it, leaving it unprotected. In fact, due to the limited storage capacity, it is doubtful that any EDR could be installed at all.

After identifying the webcam as a suitable target, the threat actor began deploying their Linux-based ransomware with little delay. As the device was not being monitored, the victim organisation's security team were unaware of the increase in malicious Server Message Block (SMB) traffic from the webcam to the impacted server, which otherwise may have alerted them.[1] Akira was subsequently able to encrypt files across the victim’s network.[2]

[1] There are several options for threat actors to deploy ransomware from IoT devices and deploying via SMB protocol remains one of the easiest. Though this protocol is significantly less efficient, it can still be a potent vector for threat actors. Particularly when used on devices which are incompatible with EDR or EPP systems, preventing adequate continuous monitoring of activity.

[2] SMB is a network protocol commonly used for communication between devices and threat actors and is commonly exploited to deploy ransomware.

Lessons learned

The S-RM team identified three key security takeaways from the incident:

1. Patching priorities | Patch management strategies tend to focus on systems that are critical to business functions. This approach, while logical, often diverges from the perspective of a threat actor, who will take advantage of any weak link that can be exploited in order to reach those critical systems. As a result, devices that might initially seem inconsequential can become instrumental to a threat actor’s success. IoT devices, for example, frequently escape rigorous security audits and retain default passwords and outdated software, offering threat actors potential pivot points in supposedly secure environments.
2. Evolving threat actors | Akira is a good example of how cyber threat actors have evolved over time, transitioning from its original development in the programming language Rust to a newer version using C++. As ransomware-as-a-service (RaaS), it remains operable across both Windows and Linux systems, making it a particularly versatile threat.
3. Bypassing EDR | Last year, the S-RM team observed that EDR had been implemented to some extent in 40% of the incidents we responded to. Threat actors were able to take advantage of limited EDR coverage, a lack of active monitoring or misconfiguration in order to bypass the tooling. While EDR remains a critical security control, this data – and in this instance the specific Akira attack path – illustrates that detailed thought needs to be given to its implementation.  

Prevention and remediation

Preventing and remediating novel attacks like this one can be challenging. At a minimum, organisations should monitor network traffic from their IoT devices and detect anomalies. They should also consider adopting the following security practices:

• Network restriction or segmentation: Place IoT devices on a segmented network that cannot be accessed from servers or user workstations or restrict the devices’ communication with specific ports and IP addresses.
• Internal network audit: Regularly audit devices connected to the internal network, which may help to identify security weaknesses or rogue devices implemented by a threat actor.
• Patch and device management: Keep devices, including IoT devices, regularly patched with the most recent update. Ensure default passwords of IoT devices are changed to unique and complex ones.
• Turn devices off: Keep IoT devices switched off when they are not in use.

Indicators of compromise

S-RM identified the ransomware binaries, which had the following signatures:

If you have concerns about your organisation’s exposure or have further questions on this development, contact S-RM’s Incident Response team here for additional information.