Incident Details
The NCSC-FI has reported a rise in Akira ransomware attacks in December, with a focus on businesses in Finland that includes deleting backups. Out of the seven ransomware incidents noted last month, the agency confirms that six were attributable to this threat actor. By erasing backups, the attackers increase the impact of their assault and create additional leverage on victims by removing their ability to recover data without complying with ransom demands.
Incident
How Did the Breach Happen?
The Akira ransomware incidents involved infiltrating the victims' network by exploiting a vulnerability known as CVE-2023-20269. This vulnerability impacts the VPN function in Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) products. Exploiting this flaw enables malicious actors to discover the login credentials of users without login protections like multi-factor authentication (MFA).
What Data has been Compromised?
The Akira ransomware specifically aimed at infiltrating and compromising backups stored on network-attached storage (NAS) devices as well as tape backup devices. This thorough attack led to the deliberate destruction of the backups, ultimately causing the irrevocable loss of all data backup copies.
Why Did the company's Security Measures Fail?
The security of the company was compromised as a result of exploiting a vulnerability in the VPN function of Cisco ASA and FTD products. Additionally, the lack of login safeguard like multi-factor authentication played a role in enabling the attacks to be successful.
What Immediate Impact Did the Breach Have on the company?
The breach led to the deletion of all backup files, exacerbating the impact of the intrusion. Subsequently, the malicious actor coerced the victims into paying the ransom by exploiting the fact that they were unable to recover their data.
How could this have been prevented?
Organizations are recommended to enhance their security measures by updating their Cisco ASA and FTD products to versions 9.16.2.11 and 6.6.7 or higher. Furthermore, increasing security through the implementation of multi-factor authentication and adhering to the 3-2-1 backup rule is crucial in preventing comparable attacks.
What have we learned from this data breach?
The significance of having strong security measures, like promptly installing software updates, utilizing multi-factor authentication, and adhering to best practices for storing and managing backups, is underscored by this incident of data exposure.
Summary of Coverage
The National Cybersecurity Center in Finland has issued a caution regarding a rise in Akira ransomware incidents aimed at businesses in the country. The cybercriminals behind these attacks have successfully deleted backup data on network-attached storage units and tape backup devices. The security breach was made possible by exploiting a weakness in Cisco ASA and FTD products. Companies are urged to update their systems, set up multi-factor authentication, and adhere to recommended backup storage protocols.