Security experts recommend implementing network segmentation for IoT devices, performing regular internal network audits, maintaining strict patch management practices for all connected devices, changing default passwords on IoT equipment, and powering off such devices when not in use to mitigate this emerging threat vector. The threat actor has deployed novel techniques to bypass security defenses, most notably by exploiting unsecured webcams to circumvent Endpoint Detection and Response (EDR) tools when deploying ransomware across corporate networks. The attackers then moved laterally through the network using Remote Desktop Protocol (RDP), which allowed them to blend in with legitimate system administrator activities, making detection more challenging for security teams. The device had critical security vulnerabilities including remote shell capabilities, ran a lightweight Linux operating system compatible with command execution similar to standard Linux devices, and crucially, lacked any EDR protection due to its limited storage capacity. Following the failed deployment attempt, the attackers leveraged results from a previously conducted internal network scan that had identified Internet of Things (IoT) devices on the victim’s network, including webcams and a fingerprint scanner. This traffic went undetected by the organization’s security monitoring systems, allowing the threat actors to successfully encrypt files across the victim’s network. S-RM’s team researchers noted that these devices presented an opportunity for the attackers to bypass traditional security controls and continue their malicious campaign. The SMB protocol, while less efficient than other methods, proved effective when deployed from devices incompatible with security monitoring tools. The attackers attempted to deploy their ransomware payload by uploading a password-protected zip file named ‘win.zip’ containing the malicious executable ‘win.exe’ to a Windows server. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. This innovative attack vector demonstrates the evolving tactics of cybercriminals who continuously adapt to overcome security measures deployed by organizations. After compromising the victim’s network through an externally facing remote access solution, they deployed AnyDesk.exe to maintain persistent access before exfiltrating sensitive data. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. In a recent incident, S-RM’s team responded to an Akira ransomware attack where the threat actors initially followed their typical playbook. After compromising the webcam, the attackers used it to generate malicious Server Message Block (SMB) traffic directed at the targeted Windows server.
This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 10 Mar 2025 08:35:11 +0000