93/68 Monday, March 10, 2025
Cybersecurity researchers from S-RM have uncovered a new technique used by the Akira ransomware group to infiltrate victims’ networks. Instead of relying on traditional remote access tools, the attackers exploit vulnerabilities in unprotected IoT devices such as webcams and fingerprint scanners to bypass Endpoint Detection and Response (EDR) systems.
Previously, Akira attempted to launch attacks using remote tools like AnyDesk and Remote Desktop Protocol (RDP), but these were successfully blocked by EDR systems. In response, the group shifted its focus to IoT devices within the network, particularly Linux-based webcams, which often lack proper security controls.
According to the report, Akira initially used AnyDesk to exfiltrate data before deploying ransomware via RDP. However, when EDR blocked these attempts, they leveraged unsecured webcams to infiltrate the network undetected. Since these devices are rarely monitored for unusual traffic, Akira was able to encrypt victim networks, including critical VMware ESXi servers, without triggering security alerts.
This attack highlights the risks associated with IoT devices, which are often overlooked in cybersecurity strategies. While EDR remains a crucial defense tool, misconfigurations and security gaps can provide attackers with alternative entry points. Security experts recommend that organizations strengthen their defenses by turning off IoT devices when not in use, segmenting networks to limit access, regularly applying security patches, and actively monitoring network traffic for anomalies.
The Akira ransomware group has been active since March 2023, targeting organizations across various industries, including education, finance, and real estate. Their tactics continue to evolve, including shifting from Rust to C++ to enhance attack efficiency. Given the increasing sophistication of these threats, organizations must remain vigilant and continuously update their security measures.
