Ransomware attacks continue to pose a significant threat, with the Akira ransomware gang having extorted approximately $42 million from more than 250 victims. The gang targeted vulnerable Cisco VPNs in a campaign last year, impacting a wide range of businesses and critical infrastructure entities in North America, Europe, and Australia. The Akira gang gains initial access to organizations through a virtual private network (VPN) service without multifactor authentication (MFA) configured, primarily exploiting known vulnerabilities in Cisco systems. Once inside, they abuse the functions of domain controllers by creating new domain accounts to establish persistence. Akira utilizes a sophisticated hybrid encryption scheme, combining a ChaCha20 stream cipher with an RSA public-key cryptosystem for speed and secure key exchange. The group has been observed deploying two ransomware variants on different system architectures. The Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory that includes a list of tools used by Akira, indicators of compromise, and a list of MITRE ATT&CK tactics and techniques. CISA recommends implementing a recovery plan, requiring multifactor authentication, staying up to date on patches, and segmenting networks as mitigations against Akira ransomware attacks. [0572b215]
A cyberattack on Indonesia's immigration system last week caused a catastrophic collapse of the system, leading to the disruption of services at 210 state institutions nationwide. The attack was carried out by the LockBit 3.0 group, which routinely targets Indonesia. Hackers used new ransomware to attack a critical data center, demanding an $8 million ransom. However, the government refused to pay. The incident compromised Indonesians' personal data, which has been decrypted by the hackers. The cyberattack began on June 17 and the attackers accessed sensitive data, including the Indonesia Automatic Fingerprint Identification System, which has been offered for sale on a data leak site. The incident has raised concerns about the safety of citizens' personal data processed by the state, highlighting the government's failure to protect citizens' personal data and raising doubts about its ability to secure data processed by state institutions. Indonesians have demanded accountability for the cyberattack, with calls for officials responsible to step down. The government is examining the ransomware sample to prevent similar incidents in the future. A temporary data center in Surabaya is being used until the completion of a permanent data center in Cikarang in August. [0572b215, b024cd7b]
Cybercrime gangs are looking to rebuild with new tactics after global police operations this year made a huge dent in their activities. LockBit, a major developer of malicious software, was disrupted in February, leading to a 'cleaning up' of the ransomware scene. However, a number of new groups have since appeared and started to organise themselves. Some of the newer gangs are considering threats of physical violence rather than just online intimidation. Experts believe that ransomware attacks are likely to rebound quickly in the next few months. [82aa1898]