Reconstructing an Akira Ransomware Kill Chain from Perimeter and Endpoint Logs, (Wed, May 27th)

Key Points:

• Akira ransomware exploited a local SSLVPN account through credential stuffing, leading to domain admin access and subsequent lateral movement.
• The attack impacted a mid-sized organization's Active Directory environment, with the attacker leveraging brute-force methods and executing reconnaissance before encryption.
• Immediate actions include implementing multi-factor authentication (MFA) for VPN accounts, improving log retention policies, and integrating perimeter and endpoint log analysis.

Technical Details: The attack utilized T1078.001 (Valid Accounts: Local) for initial access via a deprovisioned SSLVPN account without MFA. The attacker executed commands such as nltest.exe and net.exe for discovery and performed Kerberoasting (T1558.003) to obtain service account credentials.

MITRE ATT&CK Techniques:

• T1078.001 - Valid Accounts: Local (Initial Access)
• T1133 - External Remote Services (Initial Access)
• T1087 - Account Discovery (Discovery)
• T1482 - Domain Trust Discovery (Discovery)
• T1558.003 - Kerberoasting (Credential Access)
• T1021.001 - Remote Services: RDP (Lateral Movement)
• T1070.001 - Clear Windows Event Logs (Defense Evasion)
• T1562 - Impair Defenses (Defense Evasion)
• T1486 - Data Encrypted for Impact (Impact)
• T1490 - Inhibit System Recovery (Impact)

IOCs Mentioned: None mentioned