Ethical Hacking News
CISA has warned that the Akira ransomware operation has expanded its attack capabilities to target Nutanix AHV virtual machines. The alert highlights the vulnerability of organizations running Linux-based virtualization solutions and underscores the importance of proactive security measures. To minimize the risk of falling victim to a ransomware attack, it is crucial for businesses to implement regular security audits, ensure that all software and systems are up-to-date, enforce multifactor authentication, regularly backup data, and limit access to sensitive data and systems.
The Akira ransomware operation has expanded its attack capabilities to target Nutanix AHV virtual machines. The vulnerability used by Akira is CWE-284: Improper Access Control (CVE-2024-40766), discovered by SonicWall. The attack vector for Nutanix AHV is more direct than previous attacks on VMware ESXi and Hyper-V virtual machines. The Akira ransomware has been linked to several high-profile breaches in recent months, including attacks on corporate networks and Veeam Backup & Replication servers. Organizations are recommended to implement mitigations such as regular offline backups, enforced multifactor authentication, and quick patching of known exploited vulnerabilities.
CISA, the FBI, the Department of Defense Cyber Crime Center (DC3), the Department of Health and Human Services (HHS), and several international partners have issued a joint advisory warning that the Akira ransomware operation has expanded its attack capabilities to target Nutanix AHV virtual machines. The alert marks a significant escalation in the threat landscape for organizations running Linux-based virtualization solutions.
The advisory highlights the Akira ransomware's ability to encrypt disk files for Nutanix AHV virtual machines, leveraging a vulnerability in Common Weakness Enumeration (CWE)-284: Improper Access Control, which was previously identified as CVE-2024-40766. This vulnerability was discovered by SonicWall, and it has been exploited by Akira threat actors to gain unauthorized access to Nutanix VMs.
The attack vector used by Akira is different from its previous attacks on VMware ESXi and Hyper-V virtual machines. While the ransomware gang has employed the same tactics of shutting down virtual machines before encrypting their disks, the approach taken for Nutanix AHV is more direct. The attackers simply encrypt the .qcow2 file extension used by Nutanix AHV without utilizing the platform's acli or ncli commands to power down VMs.
The Akira ransomware has been linked to several high-profile breaches in recent months, including attacks on corporate networks and organizations that rely heavily on Veeam Backup & Replication servers. The attackers have employed various tools, such as nltest, AnyDesk, LogMeIn, Impacket's wmiexec.py, and VB scripts, to perform reconnaissance, spread laterally within the network, and establish persistence.
The "Megazord" tool previously associated with Akira operations appears to have been abandoned since 2024. However, the group has exfiltrated sensitive data in as little as two hours during some attacks, and it relies on tunneling tools such as Ngrok to establish encrypted channels that bypass perimeter monitoring.
In light of these new indicators of compromise and tactics observed by investigators, CISA and the FBI recommend that organizations take immediate action to secure their systems. The joint advisory includes recommendations for implementing mitigations, including regular offline backups, enforced multifactor authentication, and quick patching of known exploited vulnerabilities.
The attack highlights the need for organizations to prioritize security measures for Linux-based virtualization solutions, particularly Nutanix AHV. As the threat landscape continues to evolve, it is essential for businesses to stay vigilant and adapt their defenses accordingly.
In recent years, ransomware attacks have become increasingly sophisticated, with attackers employing a range of tactics to breach networks and encrypt data. The expansion of Akira's attack capabilities to target Nutanix VMs underscores the importance of proactive security measures and the need for organizations to invest in robust threat intelligence.
To minimize the risk of falling victim to such an attack, it is crucial for businesses to:
1. Implement regular security audits and vulnerability assessments.
2. Ensure that all software and systems are up-to-date with the latest patches and updates.
3. Enforce multifactor authentication for all users and systems.
4. Regularly backup data and ensure that backups can be restored quickly in case of an attack.
5. Limit access to sensitive data and systems.
By taking these steps, organizations can significantly reduce their risk of falling victim to a ransomware attack. The joint advisory from CISA, the FBI, DC3, HHS, and international partners serves as a timely reminder of the importance of prioritizing security measures for all systems, including Linux-based virtualization platforms.
In conclusion, the Akira ransomware's targeting of Nutanix AHV VMs marks a significant escalation in the threat landscape. As organizations continue to rely on Linux-based virtualization solutions, it is essential to prioritize security measures and stay vigilant in the face of evolving threats.
Related Information:
https://www.ethicalhackingnews.com/articles/CISA-Warns-of-Growing-Akira-Ransomware-Threat-to-Nutanix-VMs-and-Other-Linux-Based-Virtualization-Platforms-ehn.shtml
https://www.bleepingcomputer.com/news/security/cisa-warns-of-akira-ransomware-linux-encryptor-targeting-nutanix-vms/
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a
https://www.picussecurity.com/resource/blog/akira-ransomware-analysis-simulation-and-mitigation-cisa-alert-aa24-109a
https://nvd.nist.gov/vuln/detail/CVE-2024-40766
https://www.cvedetails.com/cve/CVE-2024-40766/
Published: Thu Nov 13 16:43:02 2025 by llama3.2 3B Q4_K_M
