Rapid Data Heist: Akira Ransomware Group's Two-Hour Attack on Veeam Servers

In a startling development, the Akira ransomware gang has demonstrated a dramatic reduction in the time it takes to exfiltrate data from compromised servers. According to the BlackBerry Threat Research and Intelligence Team, this cybercriminal group managed to steal data from a Veeam server in just over two hours during a June attack on a Latin American airline.

Using the Secure Shell (SSH) protocol, the attackers gained initial access through an unpatched Veeam backup server. The culprit behind this lightning-fast heist is likely Storm-1567, also known as Punk Spider or Gold Sahara. This group is notorious for deploying the Akira ransomware-as-a-service (RaaS) platform and maintaining the Akira leak site. Since emerging in March 2023, Storm-1567 has targeted over 250 organizations across various industries worldwide.

The Speed of Modern Ransomware Attacks

In this attack, Storm-1567 accessed the Veeam backup server through CVE-2023-27532, rapidly siphoning off sensitive data without moving laterally within the network. Veeam servers are attractive targets due to their storage of credentials and other valuable information. According to Ismael Valenzuela, vice president of threat research and intelligence at BlackBerry, 93% of cyberattacks target backup storage, underscoring the vulnerability of such systems.

The attackers exploited legitimate tools and utilities to carry out their mission covertly. After gaining access, they created a user named 'backup' and added it to the Administrator group to solidify their foothold. They used Advanced IP Scanner to map the network and WinSCP, a free file manager for Windows, to exfiltrate the data.

The entire operation took just 133 minutes, suggesting a high degree of organization and efficiency. The attackers ceased activities for the day at 4:55 pm GMT/UTC, hinting at a possible Western European base. They resumed the next day at 8:40 pm GMT/UTC to deploy the ransomware.

Escalation and Deployment of Ransomware

Storm-1567 performed user checks across several machines prior to accessing the main Veeam backup server. They downloaded and used Netscan and WinRAR to identify and access additional networked machines, gathering data into a file named 'AdComputers.csv.' The group disabled antivirus protection on the virtual machine host and used AnyDesk, a legitimate remote desktop software, to connect to other network systems.

Exploiting various unpatched vulnerabilities, the attackers destroyed backup copies to thwart recovery efforts, stole additional data, and finally downloaded the Akira ransomware to the Veeam machine. They deployed the ransomware network-wide using the compromised Veeam server as the control point.

A Shrinking Time-to-Exfiltration Horizon

The ransomware deployment took less than eight hours, but the initial data exfiltration phase — completed in just over two hours — is a significant concern. This rapid timeline highlights the increasing difficulty for organizations to respond to and thwart cyberattacks. According to Palo Alto Networks' 2024 Unit 42 Incident Response report, the median time from compromise to data exfiltration has drastically reduced from nine days in 2021 to just under 24 hours in 2023.

To combat this accelerating threat landscape, organizations must adopt robust security measures, including a zero-trust framework and meticulous perimeter patching. Basic hygiene steps, such as implementing port access restrictions, can also hinder exfiltration attempts.

Conclusion

The Akira ransomware gang's ability to exfiltrate data swiftly underscores the urgent need for enhanced cybersecurity measures. By understanding potential adversaries and fortifying defenses, organizations can better protect against these rapidly evolving threats. Implementing comprehensive security strategies, including digital threat scoring, darknet monitoring services, and compromised data tracking, is essential in this high-stakes battle against cybercriminals.

About Foresiet!

Foresiet is the pioneering force in digital security solutions, offering the first integrated Digital Risk Protection SaaS platform. With 24x7x365 dark web monitoring and proactive threat intelligence, Foresiet safeguards against data breaches and intellectual property theft. Our robust suite includes brand protection, takedown services, and supply chain assessment, enhancing your organization's defense mechanisms. Attack surface management is a key component of our approach, ensuring comprehensive protection across all vulnerable points. Compliance is assured through adherence to ISO27001, NIST, GDPR, PCI, SOX, HIPAA, SAMA, CITC, and Third Party regulations. Additionally, our advanced antiphishing shield provides unparalleled protection against malicious emails. Trust Foresiet to empower your organization to navigate the digital landscape securely and confidently.