Akira Bypasses EDR with a Webcam

AI Spotlight
Deepfake Fraud

Do you remember FTK? The massive digital currency exchange and brainchild of Sam Bankman-Fried that went bankrupt in November 2022. But not because of COVID. It was because it was exposed that they had $9 billion in liabilities but only $900 million in assets. Customers rightly panicked and began withdrawing funds. With an $8 billion gap in assets, FTX collapsed.

Of course, customers wanted their money back. Each customer was given an FTX bankruptcy claim, an IOU that FTX was obligated to pay if they could recover money to do so. Each customer could also sell that claim to someone who wanted to sit around and wait. All of this facilitated by secondary markets, like X-Claim. Ah, capitalism at its finest.

It’s great news for people who wanted their assets now and an investment opportunity for those who had capital and could afford to be more patient.

Where money flows, scams follow. According to an Inca Digital Threat Intelligence report, a scammer targeted two companies buying up bankruptcy claims, netting them $5.6 million. The report stated:

The scammer created two personas and snuck past the Know Your Customer (KYC) checks. These included:

• Email Addresses: The scammer created two Proton mail addresses for two FTX claims accounts.

• Identity Verification: The scammer created fake Singaporean ID cards.

• Due Diligence Calls: It’s believed the scammer used deepfake video as “suspicious random movements” appeared on the scammer’s face. Inca Digital also identified that the scammer’s face is suspiciously similar to a former professional video game player (who ironically is in prison right now for trafficking and selling marijuana in Taiwan).

For this to be successful, the scammer needed detailed information on the FTX claims. It’s unknown how they got this information, but Inca Digital believes one viable way is that the scammer bought data stolen from Kroll, who is managing the FTX claims, on the dark web. They cite a dark web posting attempting to sell debt sales of FTX claims.

While we can’t be sure how they gained the necessary information, this serves as another example of how scammers use deepfakes to facilitate their fraud.

Security Deep Dive
Akira Can’t Stop, Won’t Stop

There are instances with attackers when you pause and say, “don’t hate the player, hate the game.” This is one of those situations.

Per an S-RM writeup, an attacker affiliated with the Akira ransomware gang didn’t take no for an answer when EDR blocked their ransomware. Instead, they got creative.

Like many ransomware stories, we begin with a remote access solution. Exactly what type of remote access solution was targeted or how they gained access is unclear. Typically, we see stolen credentials for remote access or a vulnerability in a VPN device that leads to the initial foothold into an environment.

Regardless, the attacker accessed the environment and logged into a Windows system in the victim’s environment. Next, they installed the AnyDesk remote management and monitoring (RMM) tool. This is a legitimate IT tool for remote access to systems, making the lives of IT techs and attackers easier.

One system is not enough for a ransomware attack. After installing AnyDesk, the attackers moved to other systems to learn more about the environment and prepare for their main act. Deploying the ransomware.

The attacker logged into a Windows server and with the finesse of a Russian bear riding a bike in the circus placed a password-protected ZIP archive. That ZIP archive contained the ransomware executable which, when run, would encrypt all of the files on the system. But not on Sheriff EDR’s system. The EDR blocked that ZIP archive and quarantined it to whatever depths of hell EDR sends those things to.

The attacker wasn’t going to be stopped easily, though. Instead of getting mad or using any other EDR bypass techniques, they wanted to be a star. So they went to a webcam. But they didn’t record a vlog about their hurt feelings. Instead, they found a webcam on the network that had critical vulnerabilities.

Exploiting these vulnerabilities gave them remote control over the Linux operating system that runs the webcam software. Like many IoT devices, it did not have EDR installed. Often, EDR does not support IoT devices or is too bloated to run on them.

From that little but mighty webcam, the attacker encrypted the environment. It worked like this.

1. The attacker connected to folders on Windows systems using Server Message Block (SMB). This built-in Windows feature allows you to access files on another system in the network. You can access and modify all of those files with the proper admin credentials.

2. After accessing the folders, the attacker ran the ransomware executable on the webcam and encrypted the files on Windows systems. From the Windows system’s perspective, someone is just replacing the files. No malicious code is being executed on the Windows system, so the EDR just let it happen.

And that’s how an attacker wouldn’t let some pesky EDR stop them and became best friends with a webcam.

Security & AI News
What Else is Happening?

👋 Everyone, meet Carl. Carl is not a person. Carl is an AI system designed to conduct academic research and write papers while the scientists sip margaritas on the beach. Carl uses existing research to generate new ideas and hypotheses. Like a good AI, Carl can test those hypotheses by developing code, analyzing data outputs, and visualizing the results. It all concludes with a presentation to the scientists after they settle their bar tab.

🧺 North Korea completed the first stage of laundering $1.5 billion in cryptocurrency that they stole from ByBit. This means they transferred all of the stolen coins to new wallets as part of their initial efforts to cover their tracks and position themselves to convert those funds into something usable in the real world. Check out last week’s newsletter to learn how they stole the funds. The source of the attack, Safe{Wallet} also released preliminary details on how they were attacked.

✏️ I love this take comparing universities’ fears that AI will destroy academics to how people in the 1970s thought cheap calculators would ruin math. Two things stood out to me. First, students need to understand that the quality of AI output is not always optimal. Second, students “need to learn how to make their work genuinely stand out in a sea of increasingly generic AI-generated essays.” The second is true for everyone, not just students.

💌 Attackers are redefining the concept of a nice handwritten note. Instead of sending ransom demands via email, some hooligans have sent ransom letters to CEOs through snail mail. The ransom notes claimed to be from the BianLian ransomware group and said they hacked into the company and stole its data. It included a QR code for easy crypto payment. So far, it all looks fake, so the only winner here is the USPS, which is raking in some extra postage money.

🎤 Don’t mess with a Swiftie. Two employees of a StubHub contractor used their access to steal URLs for downloadable tickets and resell those for a profit. Unsurprisingly, the primary target was Taylor Swift’s Eras Tour.