The Akira ransomware exploit: Detecting IoT-based threats with Sumo Logic

In a recent and sophisticated cyberattack, the Akira ransomware group leveraged an unsecured Linux-based webcam to infiltrate a corporate network. By exploiting this overlooked IoT device, the attackers successfully bypassed traditional Endpoint Detection and Response (EDR) solutions, ultimately encrypting network shares and causing widespread damage. This incident underscores the growing risk of IoT-based attack vectors and highlights the urgent need for organizations to implement robust security measures for their connected devices.

As enterprises continue to integrate IoT devices into their infrastructure, securing these endpoints is critical to preventing lateral movement by adversaries. Learn how attackers exploited an IoT device, the implications of such an attack, and how Sumo Logic’s First Seen and Outlier rules can be used to detect these threats before they escalate into a ransomware incident.

Understanding the threat

How the Akira group compromised the webcam

The attack began when the ransomware operators identified an unsecured Linux-based webcam within the corporate network. By exploiting default or weak credentials, the attackers gained initial access to the device. Once inside, they used the compromised webcam to:

• Mount Windows Server Message Block (SMB) shares from other devices within the network.

• Deploy their Linux-based ransomware encryptor directly from the IoT device.

• Encrypt data stored on network shares without triggering EDR solutions designed to monitor traditional endpoints.

Since IoT devices often lack robust logging and monitoring capabilities, the attackers were able to operate undetected, bypassing endpoint security measures designed to detect and prevent ransomware execution.

Implications of IoT-based attacks on organizational security

This incident highlights several critical concerns for organizations:

• Unmonitored attack surfaces: Many IoT devices are deployed without proper security controls, making them ideal entry points for adversaries.

• Lateral movement: Once an attacker compromises an IoT device, they can pivot within the network to target high-value assets.

• EDR blind spots: Traditional endpoint protection solutions are not designed to monitor IoT devices, creating an opportunity for attackers to evade detection.

• Increased ransomware risk: As ransomware operators adopt more sophisticated techniques, organizations must be prepared to detect anomalies in network behavior rather than relying solely on endpoint-based defenses. This proactive approach enables the correlation of disparate indicators, enhancing the ability to detect and respond to complex ransomware threats effectively.

Leveraging Sumo Logic for detection

Outlier rule: Monitoring unusual SMB traffic from IoT devices

One of the key advantages of outlier-based detections in Sumo Logic Cloud SIEM is the flexibility in identifying anomalous behavior across various entities such as users, IP address, or devices without the traditional complexity with these types of use cases.

Knowing your IoT devices is key to effectively detecting suspicious activity around them. To reduce noise and enhance your detection accuracy, we can leverage Sumo Logic’s match lists designed to track known IoT device IPs. This allows your security team to prioritize true anomalies while filtering out benign traffic from authorized devices.

The rule below monitors for anomalous Server Message Block (SMB) traffic originating from IoT devices within the network. IoT devices typically do not engage in SMB communication, as they are designed for specific, constrained functions such as environmental monitoring, automation, or networked appliances. Unusual SMB traffic from these devices may indicate potential security risks, such as unauthorized file access attempts, lateral movement, or compromise by malware.

First seen rule: Detecting unauthorized mounting of network shares

The rule below monitors unauthorized network share mounting, which can be an indicator of potential data exfiltration, lateral movement, or unauthorized access attempts. Network shares (e.g., SMB or NFS mounts) are commonly used for file storage and collaboration but abnormal mounting—especially from previously unseen devices, service accounts, or external sources—may suggest misconfiguration, credential misuse, or an active threat actor attempting to access sensitive data.

Outlier rule: Identifying abnormal increases in network traffic from IoT devices

A larger than typical amount of data has been observed being sent outbound from an IOT device. It is recommended to investigate the device associated with this IP, the Internet destinations and traffic associated with this anomalous behavior. A normalized record search for the source IP and external network traffic, within the period of time of the detection will help identify suspicious activity.

First seen rule: Flagging execution of unrecognized processes on IoT devices

The rule below monitors for the execution of previously unseen or unauthorized processes on IoT devices, which can be a strong indicator of compromise, unauthorized software installations, or exploitation attempts. Unlike traditional endpoints, IoT devices typically run a limited and predictable set of processes designed for their specific functions, such as automation, monitoring, or communication. The presence of new or unrecognized binaries executing on these devices may suggest a malware infection, unauthorized firmware modification, or an attacker attempting to establish persistence.

Final thoughts and next steps

The Akira ransomware exploit demonstrates the growing risk that unsecured IoT devices pose to enterprise security. As attackers continue to evolve their tactics leveraging IoT endpoints as stealthy entry points to evade traditional defenses, you need detection strategies that extend beyond a reliance on EDR solutions. Instead of struggling with the complexity of traditional security analytics, security teams need a flexible platform that can identify these threats in real-time, without requiring extensive rule tuning or manual correlation across disparate data sources.

Sumo Logic’s First Seen and Outlier rule primitives provide a powerful, flexible approach to identifying early indicators of compromise, detecting anomalous behavior, and mitigating IoT-based threats before they escalate. Whether it’s:

• Outlier Rules identifying unusual SMB traffic or abnormal network spikes from IoT devices

• First Seen Rules detecting unauthorized network share mounts or the execution of previously unseen processes

These detection techniques help security teams gain visibility into non-traditional attack surfaces, detect lateral movement early, and close critical security gaps.

By leveraging Sumo Logic, customers can rapidly deploy effective detection rules that adapt to emerging threats without the operational complexity typically associated with traditional UEBA solutions. Unlike legacy SIEMs, which rely on manual complex processes (lookups, multiple queries and others) that often require heavy data modeling and extensive tuning, Sumo Logic’s First Seen and Outlier primitives provide lightweight, scalable anomaly detection!

Contact us for a live demo of Cloud SIEM, or evaluate if your SIEM solution is protecting your environment.