The Recon SOC recently worked an IR case involving the newly emerged Akira Ransomware Group. News didn't begin to break about this threat actor until May 7, 2023, but our investigation shows evidence this crew began this particular campaign in early-mid April.
When we began the IR, the targets of the ransomware activity were multiple VMware ESXi servers and a single Windows server. We moved quickly to get the environment into a defensible posture to prevent further spread of the ransomware itself.
The Akira group surfaced around March of 2023. The group hosts a tor hidden service blog which contains entries for each organization it has hit, and allegedly, serves the files stolen from victims that did not pay the ransom.
Source: https[://]akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad[.]onion
Description taken directly from Cloudflare's website:
Cloudflare Tunnel provides you with a secure way to connect your resources to Cloudflare without a publicly routable IP address. With Tunnel, you do not send traffic to an external IP — instead, a lightweight daemon in your infrastructure (
cloudflared
) creates outbound-only connections to Cloudflare’s global network. Cloudflare Tunnel can connect HTTP web servers, SSH servers, remote desktops, and other protocols safely to Cloudflare. This way, your origins can serve traffic through Cloudflare without being vulnerable to attacks that bypass Cloudflare.
How it works
Cloudflared establishes outbound connections (tunnels) between your resources and Cloudflare’s global network. Tunnels are persistent objects that route traffic to DNS records. Within the same tunnel, you can run as many
cloudflared
processes (connectors) as needed. These processes will establish connections to Cloudflare and send traffic to the nearest Cloudflare data center
Multiple systems had services aimed at renamed copies of cloudflared.exe
, a ZeroTrust networking agent, in locations such as
C:\ProgramData\VMware\VMware.exe
C:\ProgramData\sun\sun.exe
C:\ProgramData\GenPatch\GenPatch.exe
Despite the renamed binaries, these executions are easily found by auditing process command line arguments looking for the following pattern
<renamed_binary>.exe tunnel run --token <attacker_cloudflare_token>
This daemon connects the victim system to an attacker-controlled software-defined network, similar to a VPN. With this tunnel, the attacker could connect directly to this system, even if they lose other footholds into the network.
Generally, cloudflared expects a configuration file, but in these instances, the configuration information was passed directly on the command line which makes even the renamed binaries detectable with the right telemetry. We dissected the token being passed to the binary and learned it consists of the following components
{"a":"ACCOUNT_ID","t":"TUNNEL_UUID","s":"TUNNEL_SECRET"}
The attacker leveraged the free Netscan tool to perform network sweeps and discover open ports on hosts. This tool was also used to directly launch RDP sessions on discovered systems.
This tool has previously been leveraged by other groups as well.
The attacker leveraged mimikatz to obtain credentials on at least one system.
Adversary was observed leveraging the open source DonPAPI credential theft toolkit which is capable of "Dumping relevant information on compromised targets without AV detection." This required dropping Python on the victim host as well.
Targeted credentials include:
The attacker was observed using RDP almost exclusively to move around the environment. This was accomplished with multiple compromised administrator accounts due to a combination of credential harvesting and weak passwords.
Lateral movement with wmiexec.py
The attacker created an account on a compromised domain controller that followed a naming convention very similar to the domain name to likely make it blend in. For instance, if the domain name was abdef.com
, the account was named abcdfe
.
The actor quickly identified network shares in the environment and mounted them via CLI using stolen credentials. Once shares were mounted, they were accessed via Explorer and many files were copied to a staging location on the system actively in-use by the actor.
Targeted files included many related to insurance, income statements, and various other business-related documents.
The attacker dropped several compression utilities onto the desktop of the compromised system, likely via the RDP session. Tools include 7zip, WinRAR, etc.
Leveraging a combination of stolen or weak passwords, the attacker was able to SSH onto multiple ESXi servers to encrypt the underlying file system which housed all virtual systems.
Actor was observed tampering with MS Defender with Defender Control.
The win_locker executable deletes volume shadows with the following command
powershell.exe -Command "Get-WmiObject Win32_Shadowcopy | Remove-WmiObject"
This is observable in process command line auditing. Any deletion of VSCs should trigger an alert in most well monitored environments.
The naming convention of the encryptor on the Windows system followed this pattern: win_locker_1234-ab-cdef-ghij.exe
-- the actual numbers and letters following win_locker_
have been obscured in this post because they correspond to the unique ID assigned to this victim that is also used in the negotiation steps with the adversary.
Here is a VirusTotal report on the sample, including IOCs. As of the time of this post, it was only detected by 31 of 69 antivirus engines.
The encryption routine drops akira_readme.txt
in nearly every directory on the system. Contents of the readme below
If you are looking to bring new levels of confidence to your enterprise security, consider partnering with Recon and leveraging our Managed Detection & Response offering. You will gain full access to our team of analysts for consistent advisory services in addition to our phenomenal SOC-as-a-Service capabilities.