Akira ransomware was initially reported by Sophos researchers to have begun the exploitation of Cisco VPN accounts in May, wherein a network was compromised through VPN access with single-factor authentication, while incident responder Aura noted that Cisco VPN accounts without multi-factor authentication have been used in various attacks of the ransomware gang.
On the other hand, a SentinelOne WatchTower report revealed that Akira may have been abusing an unknown Cisco VPN software flaw to facilitate authentication bypass in accounts without MFA.
Aside from leveraging Cisco VPN gateways, Akira ransomware has also been exploiting open-source remote access tool RustDesk to facilitate stealthy access to compromised networks. SentinelOne researchers also observed Akira’s utilization of SQL database compromise and deactivation of firewalls, Windows Defender, and LSA protection, as well as the activation of Remote Desktop Protocol.