Ransomware gang encrypted network from a webcam to bypass EDR

The Akira ransomware gang was spotted using an unsecured webcam to launch encryption attacks on a victim's network, effectively circumventing Endpoint Detection and Response (EDR), which was blocking the encryptor in Windows.

Cybersecurity firm S-RM team discovered the unusual attack method during a recent incident response at one of their clients.

Notably, Akira only pivoted to the webcam after attempting to deploy encryptors on Windows, which were blocked by the victim's EDR solution.

Akira's unorthodox attack chain

The threat actors initially gained access to the corporate network via an exposed remote access solution at the targeted company, likely by leveraging stolen credentials or brute-forcing the password.

After gaining access, they deployed AnyDesk, a legitimate remote access tool, and stole the company's data for use as part of the double extortion attack.

Next, Akira used Remote Desktop Protocol (RDP) to move laterally and expand their presence to as many systems as possible before deploying the ransomware payload.

Eventually, the threat actors dropped a password-protected ZIP file (win.zip) containing the ransomware payload (win.exe), but the victim's EDR tool detected and quarantined it, essentially blocking the attack.

After this failure, Akira explored alternative attack pathways, scanning the network for other devices that could be used to encrypt the files and finding a webcam and fingerprint scanner.

S-RM explains that the attackers opted for the webcam because it was vulnerable to remote shell access and unauthorized video feed viewing.

Furthermore, it ran on a Linux-based operating system compatible with Akira's Linux encryptor. It also did not have an EDR agent, making it an optimal device to remotely encrypt files on network shares.

S-RM confirmed to BleepingComputer that the threat actors utilized the webcam's Linux operating system to mount Windows SMB network shares of the company's other devices. They then launched the Linux encryptor on the webcam and used it to encrypt the network shares over SMB, effectively circumventing the EDR software on the network. 

"As the device was not being monitored, the victim organisation's security team were unaware of the increase in malicious Server Message Block (SMB) traffic from the webcam to the impacted server, which otherwise may have alerted them," explains S-RM.

"Akira was subsequently able to encrypt files across the victim's network."

S-RM told BleepingComputer that there were patches available for the webcam flaws, meaning that the attack, or at least this vector, was avoidable.

The case shows that EDR protection isn't an all-encompassing security solution, and organizations shouldn't rely on it alone to protect against attacks.

Furthermore, IoT devices are not as closely monitored and maintained as computers but still pose a significant risk.

Due to this, these types of devices should be isolated from the more sensitive networks, like production servers and workstations. 

Of equal importance, all devices, even IoT devices, should have their firmware updated regularly to patch known flaws that could be exploited in attacks.