The Finish National Cyber Security Centre (NCSC-FI) has warned of a surge in Akira ransomware attacks during December, primarily targeting companies in the country. These attacks are particularly harmful because they involve erasing backups, leaving victims with few options for data recovery.
According to the NCSC-FI, the majority of reported ransomware incidents last month (six out of seven cases) were attributed to Akira ransomware. The attackers have been carefully destroying backups and putting pressure on victims by making it impossible to restore data without paying the ransom.
This has impacted Network-Attached Storage (NAS) devices used for backups, as well as tape backup devices that serve as secondary data storage systems.
Additionally, the agency suggests associations consider using offline backups dispersed across different locations to protect against unauthorized physical access. It is recommended to avoid using vulnerable online backups.
Breached through Cisco VPNs
In addition, threat actors manipulate a flaw called CVE-2023-20269 to hack into the networks of tolerant victims, according to the Finnish agency. This fault affects the VPN feature present in Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) products. Similarly, hackers can use this vulnerability to carry out brute-force attacks and gain unauthorized access to user credentials.
Moreover, Akira ransomware exploited a vulnerability in August 2023, but Cisco fixed it the following month. After breaching the network, carpers map it out, target backups and necessary servers, steal usernames and passwords, and encrypt important files and disks, particularly on VMware servers.
It is strongly recommended that companies boost their Cisco ASA to at least version 220.127.116.11 or later and their Cisco FTD to version 6.6.7 or later to diminish the risk of attacks exploiting CVE-2023-20269.