Bypassing Edr: How Akira Used An Unsecured Webcam To Deploy Ransomware

Published Date: March 7, 2025
Category: ShadowOpsIntel
Share:

The Akira ransomware group, a well-established cyber threat actor, has recently employed an innovative attack vector to circumvent security defenses. In a 2024 incident, Akira was responsible for 15% of ransomware cases investigated by cybersecurity firm S-RM. In this particular case, the attackers bypassed an organization’s Endpoint Detection and Response (EDR) system by leveraging an unsecured Internet of Things (IoT) device—a webcam—on the victim’s network. This highlights a growing trend of adversaries exploiting non-traditional entry points, such as IoT devices, to execute their malicious operations undetected.

Severity Level: High

Threat Details

1. Initial Compromise:

  • Akira gained access through an externally exposed remote access solution.
  • Deployed AnyDesk.exe, a remote management tool, for persistent access.
  • Conducted data exfiltration before attempting to deploy ransomware.

2. Blocked by EDR & Pivot to IoT:

  • Akira attempted to deploy ransomware in a password-protected zip file (“win.zip”) on a Windows server.
  • The EDR tool successfully detected and quarantined the ransomware payload.
  • In response, the attacker scanned the internal network and identified IoT devices, including webcams and a fingerprint scanner.

3. Webcam Exploitation & Ransomware Deployment:

  • The webcam was vulnerable due to:
    • Remote shell access capabilities.
    • Unauthorized remote viewing.
    • A lightweight Linux OS, compatible with Akira’s Linux ransomware variant.
  • Akira used the Server Message Block (SMB) protocol to move ransomware from the webcam to the server.
  • The attack went undetected due to a lack of security monitoring on the IoT device.

4. Impact & Consequences

  • Successfully encrypted files across the victim’s network.
  • Demonstrated the evolution of ransomware tactics, targeting unprotected IoT devices to bypass security tools.

This attack underscores the urgent need for better IoT security measures, proactive network segmentation, and continuous monitoring of all network-connected devices.

Recommendations

  1. Place IoT devices on a segmented network that cannot be accessed from servers or user workstations or restrict the devices’ communication with specific ports and IP addresses.
  2. Keep devices, including IoT devices, regularly patched with the most recent update. Ensure default passwords of IoT devices are changed to unique and complex ones.
  3. Keep IoT devices switched off when they are not in use.
  4. Disable unnecessary SMB protocol communications between IoT devices and internal servers.
  5. Implement firewall rules to restrict unauthorized SMB file-sharing activity.
  6. Disable unused remote access tools like AnyDesk unless explicitly required.
  7. Apply least privilege principles, ensuring that IoT devices cannot be accessed remotely without proper authentication.
  8. Block the IOCs at their respective controls.

Source:

  • https://www.virustotal.com/gui/collection/c8eb82abffe53ba1889d04933e53be82da6e886f13184fe3b255e496a7713415/iocs
  • https://www.s-rminform.com/latest-thinking/camera-off-akira-deploys-ransomware-via-webcam

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn.