The SOC case files: XDR catches Akira ransomware exploiting ‘ghost’ account and unprotected server

Incident summary

• A manufacturing company was hit with Akira ransomware in the early hours of the morning.
• The attackers breached the network through a ‘ghost’ account (an account that was created for a third-party vendor and not deactivated when the vendor left).
• At 1:17 a.m. the attackers broke cover and tried to move laterally and disable endpoint security — both attempts were blocked by Barracuda Managed XDR.
• They then moved the focus of their activity to an unprotected server, elevating their privileges and launching the ransomware at 2:54 a.m.
• By 2:59 a.m. all impacted devices covered by XDR had been neutralized
• SOC engineers worked with the target on recovery and investigation.

The SOC is part of Barracuda Managed XDR, an extended visibility, detection, and response (XDR) service that provides customers with round-the-clock human and AI-led threat detection, analysis, and mitigation services to protect against complex threats.

How the attack unfolded

Exposed areas in the target’s IT environment

• There were several preexisting areas of risk in the target’s IT infrastructure and security policies that increased their vulnerability and the chances of a successful breach. These included:
  • Unprotected devices on the network
  • An open VPN channel in their firewall
  • Multifactor authentication not enforced across the business
  • An account that had been created for a third-party vendor was not deactivated when they left
• At some point before deploying the main attack, the threat actor got hold of the credentials for the third-party ‘ghost’ account and used this to connect via an open VPN channel to gain access to the network.
• It is worth noting that the additional implementation of XDR Network Security would have detected the suspicious VPN activity and helped block the attack at an earlier stage.

The main attack

• XDR Endpoint Security first detected the threat actor at 1:17 a.m. as they tried to move laterally across the network using information stealer malware and a hacking method that can circumvent passwords to gain access to a computer system (known as the pass-the-hash technique).
• Both techniques were successfully mitigated by XDR Endpoint Security. Suspicious lateral movement is one of the clearest indicators of a ransomware attack. In 2024, 44% of unfolding ransomware incidents were spotted during lateral movement.
• The attackers persevered. When they realized that endpoint protection was deployed on devices throughout the network, they retaliated in two ways.
• First, at 1:37 a.m. they ran a tool called Advanced IP Scanner to find and list all the devices on the network. Next, they tried to execute commands to disable XDR Endpoint Security, which failed thanks to XDR’s anti-tampering capabilities.
• A few minutes later, at 1:41 a.m., the threat actor began running a tool call WinRAR to prepare data for exfiltration. WinRAR can open most file types and is used for compressing and decompressing files to make the process of downloading them faster and easier.
• At the same time, the threat actor shifted the focus of their attack to an unprotected server where they planned to continue their attack away from the visibility and restrictions of the installed endpoint security.
• The attackers were able to elevate their privileges to administrator-level from the unprotected server and leverage that to execute the attack. If the server had been covered by XDR protection, the suspicious administrator activity would have been flagged.
• The threat actor released the Akira ransomware just over an hour later, at 2:54 a.m. Akira is a prolific ransomware-as-a-service (RaaS) offering that emerged in 2023.  
• The attackers first executed the ransomware on the unprotected server and then tried to remotely encrypt devices they could reach through the network. Remote encryption is a common tactic that threat actors use to bypass security controls that might be activated if they tried to execute the ransomware on each individual host.
• However, as soon as the remote encryption process was initiated, XDR Endpoint Security’s custom STAR rules detected the malicious activity and started to isolate the targeted endpoints from the network.
• Within four minutes, by 2:59 am, all targeted endpoints protected by XDR had been disconnected from the network.
• Shortly thereafter, the XDR SOC team issued a high-risk security alert to the organization and called them to inform them of the case.

Restore and recover

• Once the incident was neutralized, the SOC’s endpoint security engineers worked with the target to investigate the incident and help with recovery.
• The SOC team leveraged XDR Endpoint Security to issue rollback commands to the targeted endpoints and restore them to their latest snapshot from before the incident.
• The post-incident investigation revealed the open VPN channel in the firewall and the lack of consistent enforcement for MFA.

The main tools and techniques used in the attack

Indicators of Compromise detected in this attack (SHA1 hash values):

• 66930dc7e9c72cf47a6762ebfc43cc6a5f7a1cd3
• b29902f64f9fd2952e82049f8caaecf578a75d0d

Lessons learned

This incident illustrates how cyberattacks have become increasingly multi-stage and multi-level, with attackers ready to pivot and adapt to changing or unexpected circumstances, hunting down and exploiting any areas that are left unprotected and exposed. 

The best protection against such attacks is comprehensive, layered defenses with integrated and extended visibility.

This should be accompanied by a robust focus on cybersecurity basics.  For example:

• Always enforce MFA, especially on VPN accounts that are accessible externally.
• Implement a password policy to rotate credentials regularly to avoid stale passwords.
• Regularly audit active user accounts and disable any that are no longer in use.

In this case study, the incomplete security cover helped the threat actors gain access to the network and remain under the radar until they decided to move laterally. It also allowed them to prepare and launch different phases of the attack from a device that couldn’t be scanned and monitored by security tools.

Every attempt to progress the attack that involved an XDR-protected endpoint was mitigated and remediated within minutes.

XDR can help in other ways, including:

• XDR Endpoint Security proactively provides data on unprotected devices, so organizations are made aware of devices on their network that do not have endpoint security deployed and could potentially be leveraged by attackers.
• Extending XDR coverage to network security could have detected the suspicious VPN activity at an earlier stage of the attack. XDR leverages SOAR (security orchestration, automation, and response), and this would have ensured the malicious IP address used by the attackers would have been blocked automatically.
• Lastly, extending the XDR coverage to include server security could have detected the unusual activity and privilege elevation quietly taking place on the server.

Barracuda Managed XDR features like threat intelligence, Automated Threat Response, and the integration of wider solutions such as XDR Server Security, XDR Network Security, and XDR Cloud Security provide comprehensive protection and can drastically reduce dwell time.

For further information: Barracuda Managed XDR and SOC.