The Akira ransomware group was observed utilizing an unsecured webcam to initiate encryption attacks on a victim's network, successfully bypassing Endpoint Detection and Response (EDR), which had been blocking the encryptor on Windows.
The cybersecurity firm S-RM identified this unusual attack method during an incident response for one of its clients. Interestingly, Akira turned to the webcam only after the victim's EDR solution thwarted their attempts to deploy encryptors on Windows.
The attackers first infiltrated the corporate network through an unsecured remote access solution at the targeted company, likely by using stolen credentials or brute-forcing the password.
Once inside, they installed AnyDesk, a legitimate remote access tool, and exfiltrated the company's data as part of their double extortion strategy. Akira also employed Remote Desktop Protocol (RDP) to move laterally and extend its reach to as many systems as possible before deploying the ransomware payload.
Eventually, the attackers attempted to deploy a password-protected ZIP file (win.zip) containing the ransomware payload (win.exe), but the victim's EDR tool detected and quarantined it, effectively thwarting the attack.
Following this setback, Akira sought alternative attack routes, scanning the network for other devices that could be used to encrypt files, and discovered a webcam and fingerprint scanner susceptible to remote shell access and unauthorized viewing of the video feed.
The webcam operated on a Linux-based system compatible with Akira's Linux encryptor and lacked an EDR agent, making it an ideal device for remotely encrypting files on network shares.
The attackers used the webcam's Linux operating system to mount Windows Server Message Block (SMB) network shares of the company's other devices. They then activated the webcam's Linux encryptor and encrypted the network shares over SMB, effectively bypassing the EDR software on the network.
"As the device was not being monitored, the victim organization's security team was unaware of the increase in malicious Server Message Block (SMB) traffic from the webcam to the impacted server, which otherwise might have alerted them," explained S-RM.
S-RM informed BleepingComputer that patches were available for the webcam vulnerabilities, indicating that the attack, or at least this vector, could have been prevented.
This case demonstrates that EDR protection is not a comprehensive security solution, and organizations should not rely solely on it to defend against attacks.
Moreover, IoT devices are not as closely monitored and maintained as computers but still pose a significant risk. This indicates that they should be isolated from more sensitive networks, such as production servers and workstations.
Equally important, all devices, including IoT devices, should update their firmware regularly to address known vulnerabilities that could be exploited in attacks.
Ready to strengthen your organization's security posture?
For more cybersecurity insights, follow Cyderes on LinkedIn and X.
