Akira responsible for attack on South Westphalia IT and municipalities

B2B Cyber ​​Security ShortNews

Share post

Now it is definitely clear: The Akira group and its ransomware attacked South Westphalia IT in October, paralyzing 70 to 100 municipalities. The service provider is now working through the attack and reveals that it all started with a VPN attack.

The attack on Südwestfalen IT – SIT started on October 30, 2023 and has kept those responsible on their toes to date. According to SIT, they are still working through the action plan and want to be back to normal operations by the end of Q1 2024. Some municipalities are already reporting that they could work almost normally again.

Akira attack paralyzed the municipalities

The service provider SIT has now announced how the attack on the company took place. It all started with an attack via VPN. According to SIT, this is what happened: “South Westphalia IT noticed the first encrypted files on the night of Sunday, October 29, 2023 to Monday, October 30, 2023. The file extension .akira indicates the ransomware group “Akira”..

The attackers gained access to the internal network via a software-based VPN solution with a zero-day vulnerability that did not require multifactor authentication. How the required access data was accessed could not be conclusively clarified. According to the forensics report, a brute force attack may have taken place. Security holes in intra.lan allowed the attackers to increase the rights up to domain administration authorization. The attackers' activities focused on the Windows domain intra.lan, which manages central systems and important specialist processes for all Südwestfalen-IT customers. Other domains were not affected.”

Quick response prevented spread

According to its own information, Südwestfalen-IT contained the attack by immediately shutting down and isolating the affected systems. External, BSI-certified cyber security experts were directly commissioned to carry out the forensic investigation and rebuild the infrastructure. “The fact is that the data center was not able to fend off the attack,” said association director Theo Melcher. “The findings from the forensic report will now be used to further strengthen the security of IT systems in all network areas and domains. At the same time, the forensic report can help others learn from the incident at Südwestfalen-IT. The transparency we create by publishing the report benefits everyone.”

No evidence of data leakage

Akira leak page

🔎 The Akira leak page currently does not list any data from the SIT page or from the network (Image: B2B-CS).

During the intensive forensic investigations carried out by the commissioned cyber security experts and the continuous monitoring of the dark web using special software, no evidence of data leakage or data publication could be found. The South Westphalia IT data backups are intact and will be gradually made available to the municipalities again.

The current case shows that VPN should be a thing of the past with such a large provider. Zero Trust Network Access (ZTNA) solves the problem. However, it must also be said that a 0-day vulnerability in VPN was responsible for Akira's intrusion.

Akira himself shows on his leak page no information on Südwestfalen IT – SIT – neither in the list of current attacks nor in the list of published data. SIT could therefore be right that no data was leaked.



Matching articles on the topic

Report: 40 percent more phishing worldwide

The current spam and phishing report from Kaspersky for 2023 speaks for itself: users in Germany are after ➡ Read more

BSI sets minimum standards for web browsers

The BSI has revised the minimum standard for web browsers for administration and published version 3.0. You can remember that ➡ Read more

Stealth malware targets European companies

Hackers are attacking many companies across Europe with stealth malware. ESET researchers have reported a dramatic increase in so-called AceCryptor attacks via ➡ Read more

IT security: Basis for LockBit 4.0 defused

Trend Micro, working with the UK's National Crime Agency (NCA), analyzed the unpublished version that was in development ➡ Read more

MDR and XDR via Google Workspace

Whether in a cafe, airport terminal or home office – employees work in many places. However, this development also brings challenges ➡ Read more

Test: Security software for endpoints and individual PCs

The latest test results from the AV-TEST laboratory show very good performance of 16 established protection solutions for Windows ➡ Read more

FBI: Internet Crime Report counts $12,5 billion in damage 

The FBI's Internet Crime Complaint Center (IC3) has released its 2023 Internet Crime Report, which includes information from over 880.000 ➡ Read more

HeadCrab 2.0 discovered

The HeadCrab campaign against Redis servers, which has been active since 2021, continues to successfully infect targets with the new version. The criminals' mini-blog ➡ Read more