Red Hot Cyber

Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Search
Red Hot Cyber Academy

Akira Ransomware: The New Threat Using Webcams as Entry Points

Pietro Melillo : 7 March 2025 17:02

Akira represents one of the most recent ransomware threats capable of bypassing traditional organizational defense mechanisms. A recent case analyzed by the S-RM team highlighted how this group leveraged an unprotected webcam to deploy its payload, evading the defenses of an Endpoint Detection and Response (EDR) system.

The Initial Modus Operandi

The attack began with the compromise of the victim’s network through an internet-exposed remote access solution. Once inside, Akira deployed AnyDesk.exe, a remote management tool, to maintain control over the environment and proceed with data exfiltration.

During the later stages of the attack, the attackers used the Remote Desktop Protocol (RDP) to move laterally within the network. They then attempted to deploy the ransomware on a Windows server by sending a password-protected ZIP file containing the malicious executable. However, the organization’s EDR detected and blocked the threat before it could be executed.

Pivoting to the Webcam

Vorresti toccare con mano la Cybersecurity e la tecnologia? Iscriviti GRATIS ai WorkShop Hands-On della RHC Conference 2025 (Giovedì 8 maggio 2025)

Se sei un ragazzo delle scuole medie, superiori o frequenti l'università, oppure banalmente un curioso di qualsiasi età, il giorno giovedì 8 maggio 2025 presso il teatro Italia di Roma (a due passi dalla stazione termini e dalla metro B di Piazza Bologna), si terranno i workshop "hands-on", creati per far avvicinare i ragazzi alla sicurezza informatica e alla tecnologia. Questo anno i workshop saranno:

  • Creare Un Sistema Ai Di Visual Object Tracking (Hands on)
  • Social Engineering 2.0: Alla Scoperta Delle Minacce DeepFake
  • Doxing Con Langflow: Stiamo Costruendo La Fine Della Privacy?
  • Come Hackerare Un Sito WordPress (Hands on)
  • Il Cyberbullismo Tra Virtuale E Reale
  • Come Entrare Nel Dark Web In Sicurezza (Hands on)
    •
    Potete iscrivervi gratuitamente all'evento, che è stato creato per poter ispirare i ragazzi verso la sicurezza informatica e la tecnologia.
    Per ulteriori informazioni, scrivi a [email protected] oppure su Whatsapp al 379 163 8765


    Supporta RHC attraverso:


    Ti piacciono gli articoli di Red Hot Cyber? Non aspettare oltre, iscriviti alla newsletter settimanale per non perdere nessun articolo.

    After realizing that the EDR was preventing the ransomware from spreading, the attackers changed their strategy. An internal network scan revealed the presence of vulnerable IoT devices, including webcams and biometric scanners. Specifically, a webcam was exposed with the following critical issues:

    • The presence of severe vulnerabilities allowing remote access and command execution.
    • A Linux-based operating system compatible with Akira’s Linux ransomware variant.
    • No EDR or other security tools installed on the device.

    The attackers used the compromised webcam as an entry point to deploy the ransomware across the victim’s network. The Server Message Block (SMB) traffic generated by the device to transmit the payload went unnoticed, allowing Akira to successfully encrypt files across enterprise systems.

    Lessons Learned

    The incident highlighted three crucial aspects of cybersecurity:

    1. Patch Prioritization: Patch management strategies often focus on business-critical systems, neglecting IoT devices that can become entry points for attackers.
    2. Evolution of Threat Actors: Akira demonstrated a significant ability to adapt, transitioning from implementations in Rust to C++ and supporting both Windows and Linux environments.
    3. EDR Limitations: While EDR is a crucial security tool, its effectiveness depends on proper coverage, configuration, and continuous monitoring. IoT devices are often incompatible with EDR, leaving them vulnerable to attacks.

    Security Countermeasures

    To mitigate similar threats, organizations should adopt the following measures:

    • Network Segmentation: IoT devices should be isolated from servers and critical systems, with restricted communication to specific ports and IP addresses.
    • Internal Network Audits: Regular audits of connected devices can help identify vulnerabilities and unauthorized devices.
    • Patch and Credential Management: Regularly update device firmware and replace default passwords with strong, unique credentials.
    • Turn Off Unused Devices: If an IoT device is not needed, it should be turned off to reduce the attack surface.

    Conclusion

    The Akira case demonstrates how threat actors can bypass traditional security measures by exploiting overlooked weak points, such as IoT devices. A comprehensive security strategy that includes network segmentation, continuous monitoring, and regular updates is essential to reducing the risk of such attacks.

    Pietro Melillo
    Head of the Dark Lab group. A Computer Engineer specialised in Cyber Security with a deep passion for Hacking and technology, currently CISO of WURTH Italia, he was responsible for Cyber Threat Intelligence & Dark Web analysis services at IBM, carries out research and teaching activities on Cyber Threat Intelligence topics at the University of Sannio, as a Ph.D, author of scientific papers and development of tools to support cybersecurity activities. Leads the CTI Team "RHC DarkLab"

    Lista degli articoli
    Categories
    Banner

    Editorial board : [email protected]

    Facebook Linkedin Youtube Telegram Twitter Pinterest Tumblr
    Redhotcyber is an open-news project that was launched in 2019 and subsequently expanded into a network of individuals collaborating to disseminate information and topics focused on technology, Information Technology, and cybersecurity. Its goal is to increase risk awareness among an ever-growing number of people.