Akira Ransomware Exploits Unsecured IoT Devices to Evade EDR and Attack Windows Servers

The Download

In a recent cybersecurity incident, the Akira ransomware group demonstrated advanced tactics to infiltrate networks and evade security measures. Initially, they gained access to a victim's network through an exposed remote access solution and deployed AnyDesk.exe to maintain persistent access. They attempted to deploy their ransomware payload on a Windows server via a password-protected zip file ('win.zip') containing the malicious executable ('win.exe'). However, the organization's Endpoint Detection and Response (EDR) system successfully identified and quarantined the threat, thwarting the initial attack. ​

Undeterred, Akira conducted a network scan and discovered unsecured Internet of Things (IoT) devices, including webcams and fingerprint scanners. Exploiting critical vulnerabilities in a Linux-based webcam—such as remote shell capabilities and lack of EDR protection—they compromised the device to bypass traditional security controls. Using the compromised webcam, they generated malicious Server Message Block (SMB) traffic directed at the targeted Windows server, successfully encrypting files across the victim's network without detection. 

What You Can Do

To mitigate such sophisticated attack vectors, IT administrators should implement several key security measures:​

1. Network Segmentation: Isolate IoT devices from critical systems and servers to limit lateral movement opportunities for attackers.​

2. Regular Audits: Conduct comprehensive internal network audits to identify and address vulnerabilities in connected devices.​

3. Patch Management: Maintain strict patch management practices, ensuring all devices, including IoT equipment, are updated with the latest security patches.​

4. Secure Configurations: Change default passwords on IoT devices and disable unnecessary services to reduce potential attack surfaces.​

5. Monitoring and Detection: Implement robust monitoring solutions capable of detecting unusual traffic patterns, even from devices not typically covered by EDR systems.​

6. Device Management: Power off or disconnect IoT devices when not in use to minimize exposure.​

By proactively addressing these areas, organizations can enhance their defenses against evolving ransomware tactics that exploit unconventional entry points.

ThreatMate will both inventory all IoT devices on your network as well as scan them for vulnerabilities and pen test. Sign up for a demo today!