If at first you don’t succeed, pry, pry again.
That was the mantra of one relentless ransomware group after an endpoint detection and response (EDR) tool successfully volleyed the threat actors’ initial serve. Facing the initial EDR rejection of a ransomware delivery, they pivoted to a less-watched network device: the webcam.
The tactics, revealed on March 5 by cybersecurity consultancy S-RW, demonstrated persistence by the Akira adversary group.
“We are getting better at security, but they’re pretty driven, too, and so they’re going to find whatever that vulnerability is, and in this case, it’s a webcam,” Steve Ross, director of cybersecurity for the Americas, at S-RM, told IT Brew. “As security professionals, we’ve got to get better at locking those things down and preventing that from happening,” he said.
In the March post, the S-RM team shared details of a “recent” ransomware incident:
- Threat actors used remote desktop protocol—a popular tactic of late—to access a server.
- When the group tried to deploy a ransomware .zip file on a Windows server, the victim’s EDR caught and deactivated it.
- The adversaries’ network search found other devices, including a fingerprint scanner and camera.
- The camera had enticing characteristics to the threat actors: It was unpatched, had a Linux operating system capable of executing commands, and no installed EDR.
- The Akira group deployed ransomware from the camera via Server Message Block—a protocol that facilitates access-sharing on network devices.
“You’re trying to find something that is unlikely to be done. You’re dealing with so much on the network. And this is like a needle in a haystack,” Rob T. Lee, chief of research and head of faculty at SANS Institute, told us, when asked about the challenge of defending against this type of threat.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
S-RM’s recently published cyber incident insights report revealed the Akira ransomware players have “thrived in the aftermath of law enforcement takedowns of AlphV and LockBit,” accounting for 15% of the company incidents. (In January 2024, CISA shared that the Akira group had already impacted over 250 organizations, claiming about $42 million in ransoms. The group has been observed demanding ransom payments between $200,000 and $4 million.)
In an analysis of attacks from June 2023 to May 2024, Zscaler blocked 45% more internet of things (IoT) malware transactions, referring to connected devices like cameras, e-readers, and the most targeted, according to Zscaler, routers.
S-RM included best practices to defend against threats to IoT devices:
- Placing IoT devices on a restricted network that cannot be accessed from servers or user workstations.
- Turning off unused devices
- Regularly auditing on-network devices
- Patching, as well as changing default passwords
If threat actors can hack a webcam, they could likely go after more specific, proprietary technology in other environments, Ross told us. like the peripherals on a manufacturing production line.
“The bad guys are going to think outside the box. So, you have to as well, as a security professional,” he said.