This week, we briefed our clients on an update to the FBI/CISA #StopRansomware: Akira Ransomware advisory that focused on newly observed campaign TTPs.
KEY TAKEAWAYS
New TTPs revealed by CISA and FBI joint advisory. Learn how to protect your organization.
Critical and high-severity vulnerabilities in Fortinet, SAP, and QNAP, plus updates to CISA KEV, patch now!
On November 13, CISA, the FBI, and other international partners issued updates to their cybersecurity advisory: #StopRansomware: Akira Ransomware. The updates to this advisory include new tactics, techniques, and procedures (TTPs) observed during recent Akira ransomware campaigns. Akira has become one of the most prolific ransomware groups, with over 1100 claimed victims in a variety of industry verticals and countries, and has extorted over $240 million in ransomware proceeds. This article will highlight the newly observed TTPs so organizations can protect themselves against this ever-present and growing threat.
Initial Access
Akira is known for gaining initial access to organizations via compromising VPN devices. This is accomplished either through remote exploitation of known vulnerabilities, or abusing compromised accounts where multi-factor authentication is not configured. Most notably, Akira has been observed heavily targeting CVE-2024-40766, an access control vulnerability in SonciWall SonicOS. The updated TTPs also stress that Akira is heavily leveraging both brute-force attacks against VPNs, as well as compromised accounts via initial access brokers.
Persistence and Discovery
This phase of the Akira attack is very standard for most ransomware intrusions. Akira has been observed using techniques such as Kerberoasting to extract stored credentials, as well as common hacking tools such as Mimikatz and LaZagne for privilege escalation. Akira is known to create new domain accounts for persistence. They also use common tools such as SoftPerfect, Advanced IP Scanner, and NetScan to facilitate network discovery.
Lateral Movement
Akira abuses known vulnerabilities in backup infrastructure and virtualization environments. For example, Akira has exploited CVE-2023-27532 and CVE-2024-40711 in Veeam products to compromise backups. Akira uses commercial remote access tools such as AnyDesk or LogMeIn, as well as RDP, SSH, and MobaXterm to pivot through the victim network.
Privilege Escalation
One very notable technique leveraged by Akira in recent reports is bypassing Virtual Machine Disk (VMDK) file protection by temporarily powering down the domain controller's VM, copying the VMDK files, and then attaching them to a newly created VM, allowing them to extract the NTDS.dit file and SYSTEM hive.
Command and Control
The updated advisory shows Akira has been observed leveraging Ngrok for establishing encrypted tunnels and bypassing network monitoring.
Execution
One of the more notable updates in this advisory is Akira's ability to encrypt Nutanix AHV VM disk files. Previously, their encryptor only targeted VMware ESXi and Hyper-V virtualization, but this new capability expands the potential impact of their encryption.
Data Exfiltration
Akira is a double-extortion group, where they will steal sensitive data before they trigger encryption. They will then use the threat of publishing the stolen data on their leak page as a second means of extortion. Akira has been observed using common file transfer tools such as FileZilla, WinSCP, and RClone, often sending the stolen data to cloud storage services like Mega. Recent reports show Akira exfiltrating data within two hours of initial access.
How to Protect Your Organization
One thing that stands out about Akira TTPs is the lack of innovation. They do not use 0-days. They do not use custom tooling. Their entire attack lifecycle is extremely straightforward and basic. This means protecting your organization against this threat centers around security best practices:
Administrators are strongly encouraged to read the full joint advisory here for a comprehensive list of Akira TTPs.
Resources:
Vulnerability Roundup
After much speculation, Fortinet has finally confirmed the existence of a 0-day flaw in FortiWeb. Tracked as CVE-2025-64446, the flaw is a path traversal vulnerability in FortiWeb's GUI component, which can allow for unauthenticated attackers to execute administrative commands via HTTP or HTTPS requests. This vulnerability has been confirmed to be exploited in the wild, potentially as far back as early October. Reports like this one from PwnDefend show threat actors are abusing this vulnerability to create local 'admin' user accounts. Administrators are urged to patch immediately. Additionally, per the vendor, it is recommended to that the HTTP/HTTPS Management interface is only accessible internally. Below are the affected versions and their respective fixed versions:
PacketWatch query for FortiWeb exploit IOCs:
\*.ip:(107.152.41.19 OR 144.31.1.63 OR 89.169.55.168 OR 185.192.70.33 OR 185.192.70.53 OR 185.192.70.43 OR 185.192.70.25 OR 185.192.70.36 OR 185.192.70.49 OR 185.192.70.39 OR 185.192.70.57 OR 185.192.70.50 OR 185.192.70.46 OR 185.192.70.31 OR 64.95.13.8)
Among the multiple vulnerabilities addressed in the November security updates for SAP is a maximum-severity flaw in the non-GUI variant of the SQL Anywhere Monitor and critical code injection flaw in their Solution Manager platform. The max-severity flaw in SQL Anywhere Monitor is tracked as CVE-2025-42890 and is the result of hardcoded credentials, allowing attackers to potentially access administrative functions and execute arbitrary code on the system. The code injection flaw in Solution Manager is tracked as CVE-2025-42887 and allows for an "authenticated attacker to insert malicious code when calling a remote-enabled function module."
QNAP has addressed seven 0-days across a range of their products that were discovered in the Pwn2Own Ireland 2025 competition. The new vulnerabilities impact QNAP QTS and QuTS hero operating systems (CVE-2025-62847, CVE-2025-62848, and CVE-2025-62849), Hyper Data Protector (CVE-2025-59389), Malware Remover (CVE-2025-11837), and HBS 3 Hybrid Backup Sync (CVE-2025-62840 and CVE-2025-62842). Per the vendor, administrators are urged to patch to the latest versions as soon as possible and rotate passwords:
The following vulnerabilities were added to CISA's Known Exploited Vulnerabilities Catalog in the last 2 weeks:
This report is provided FREE to the cybersecurity community.
Visit our Cyber Threat Intelligence Blog for additional reports.
Subscribe to be notified of future Reports:
NOTE
We have enhanced our report with data from SOCRadar. You may need to register to view their threat intelligence content.
DISCLAIMER
Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.