Akira Ransomware Exploits Webcams: New Attack Vector for Threat Actors

The cyber insurance landscape is built on assumptions—assumptions about which controls work, which devices are safe, and which attack vectors are too exotic to matter. Akira ransomware just shattered one of those assumptions. In early March 2025, researchers documented a novel deployment chain where Akira uses compromised IP cameras to deliver ransomware, bypassing endpoint detection and response (EDR) systems entirely.

For brokers, underwriters, and risk managers, this isn’t just a technical curiosity. It’s a signal that traditional perimeter and endpoint defenses are no longer sufficient. When an IoT device like a webcam becomes the vector for lateral movement and payload delivery, the entire risk model for insurability shifts. This post breaks down the attack, its implications for cyber insurance, and the concrete steps you need to take—whether you’re assessing a portfolio or hardening your own network.

The Akira Threat: By the Numbers

Akira has been a dominant force in the ransomware ecosystem since its emergence in 2023. According to public threat intelligence, Akira accounted for 15% of all ransomware incidents in 2024, trailing only behind LockBit and BlackCat. The group’s claimed losses exceed $42 million in ransom demands, with actual payouts averaging $1.2 million per claim (industry reports, 2024).

What makes Akira particularly dangerous is its adaptability. The group rapidly adopts new vulnerabilities and evasion techniques. The latest evolution—using webcams as a deployment vector—represents a step change in sophistication. By exploiting two critical CVEs, Akira can move laterally through a network without ever triggering EDR alerts on traditional endpoints.

Metric	Value
Share of 2024 ransomware incidents	15%
Average ransom demand	$1.2M
Total claimed losses	$42M+
CVEs exploited in this campaign	CVE-2023-34976, CVE-2023-22515

This isn’t a fringe tactic. With an estimated 60% of IoT devices lacking any endpoint protection (Gartner), the attack surface is vast. For insurers, the question is no longer if a policyholder will be hit via an unmanaged camera, but when.

How the Attack Works: Camera-as-Vector

The Akira campaign documented in March 2025 follows a multi-stage kill chain that starts with internet-facing vulnerabilities and ends with ransomware deployed through a webcam’s firmware or driver interface.

Stage 1: Initial Access via Confluence Zero-Day (CVE-2023-22515)

Attackers first scan for unpatched Atlassian Confluence Data Center and Server instances. CVE-2023-22515 is a critical broken access control vulnerability (CVSS 9.8) that allows an unauthenticated attacker to create a new administrator account. This vulnerability was disclosed in October 2023 and has been widely exploited by multiple ransomware groups, including Akira.

Once inside, attackers establish persistence, often by creating a hidden admin user or deploying a web shell. This gives them a foothold in the corporate network.

Stage 2: Lateral Movement to Video Station (CVE-2023-34976)

From Confluence, attackers pivot to internal systems running Video Station—a popular network video management software from QNAP. CVE-2023-34976 is a SQL injection vulnerability with a CVSS score of 10.0. It allows authenticated users (which the attackers now are) to inject malicious code via a network request.

The exploit grants remote code execution on the Video Station server. But the real prize is the connected IP cameras. Video Station often manages dozens or hundreds of webcams, many of which run embedded Linux with minimal security controls.

Stage 3: Webcam as Payload Delivery Mechanism

Here’s where the attack gets creative. Instead of dropping ransomware directly on the Video Station server (which might be monitored), attackers modify the firmware or driver of an IP camera. The camera continues to function normally—streaming video—but now carries a hidden payload.

When the camera communicates with other systems on the network (e.g., via ONVIF, RTSP, or proprietary protocols), the payload is delivered to those systems. Because the camera is not a typical endpoint, EDR agents on servers and workstations do not monitor its traffic. The ransomware executes on the target machine without triggering any alerts.

Why This Evades Traditional Defenses

• Unmanaged devices: Cameras are rarely enrolled in endpoint management or EDR.
• No behavioral baselines: EDR tools that rely on process execution logs miss firmware-level changes.
• Trusted protocols: Network traffic from cameras is often whitelisted, so lateral movement looks legitimate.

For underwriters, the key takeaway is that EDR coverage is no longer a sufficient control for ransomware risk. If an insured relies solely on endpoint tools without IoT segmentation and application allowlisting, their risk profile is significantly higher.

Why This Matters for Cyber Insurance

The Akira webcam attack exposes several gaps in how cyber insurance policies are currently underwritten and how risk is assessed.

Broken Assumptions About EDR

Most cyber insurance applications ask: Do you have EDR on all endpoints? The implicit assumption is that EDR covers the entire attack surface. This attack proves otherwise. IoT devices—webcams, smart sensors, building management systems—are endpoints too, but they rarely run EDR agents. If an attacker can use a camera to bypass EDR, the policyholder’s primary control is nullified.

A New Exposure Gap

The average mid-market firm has 50–200 IP cameras (per industry surveys). Many are unpatched, running old firmware, or using default credentials. In the Akira campaign, the initial access vector (Confluence) and the lateral vector (Video Station) are both well-known vulnerabilities with patches available. Yet a significant percentage of organizations have not applied them.

According to Resiliently’s domain exposure data, over 30% of scanned domains still show unpatched instances of Confluence or Video Station as of Q1 2025. This creates a direct link between poor patch hygiene and increased ransomware claim likelihood.

Claim Likelihood Spikes

When an insured relies solely on endpoint tools without network segmentation for IoT, the probability of a successful ransomware attack increases. Modeling by Resiliently’s risk engine suggests that organizations with unsegmented IoT devices face 2.3x higher ransomware claim frequency compared to those with proper segmentation and device inventory.

For brokers, this means that a policyholder who claims to have “EDR everywhere” but cannot produce an IoT device inventory should be flagged for higher risk. For underwriters, it means that standard exclusions for “unmanaged devices” may need to be broadened to explicitly cover IoT cameras.

Red Flags for Brokers & Underwriters

When reviewing a risk submission or conducting a portfolio assessment, look for these warning signs:

1. No Full Device Inventory

Does the insured know how many IP cameras, door controllers, or smart sensors are on their network? If not, they cannot patch or segment them. Ask for a network discovery report that includes IoT devices.

2. Unpatched Critical CVEs

Check whether the insured has patched CVE-2023-22515 (Confluence) and CVE-2023-34976 (Video Station). These are public, widely exploited vulnerabilities. An unpatched Confluence instance is a red flag for overall security maturity.

3. Lack of Network Segmentation for IoT/OT

Are cameras on the same VLAN as corporate workstations? If yes, an attacker can move laterally from a camera to a domain controller without crossing a firewall. Segmentation is a critical control that reduces blast radius.

4. No Application Allowlisting

The Akira attack modifies camera firmware. Application allowlisting (e.g., Windows Defender Application Control or third-party tools) can block unauthorized binaries from executing, even if delivered via a camera. Without it, the payload runs unhindered.

5. No Behavioral Baselines for EDR

Even if EDR is deployed on servers, it should be configured with behavioral baselines that detect unusual network connections from cameras. Standard signature-based detection will miss this attack.

Mitigation Steps to Reduce Risk

For CISOs and risk managers, the following actions will directly reduce exposure and improve insurability.

Immediate Patching

• Patch Confluence to version 8.3.4 or later (CVE-2023-22515 fixed).
• Update Video Station to version 5.7.0 or later (CVE-2023-34976 fixed).
• Apply firmware updates to all IP cameras from the manufacturer.

Network Segmentation

• Place all IoT/OT devices (cameras, sensors, controllers) on a separate VLAN with strict firewall rules.
• Block outbound internet access from the IoT VLAN unless required.
• Use a jump box or VPN for administrative access to cameras.

Application Allowlisting

• Enable allowlisting on all servers and workstations to prevent execution of unsigned binaries.
• For Linux-based cameras, use read-only filesystems and signed firmware updates.

EDR with Behavioral Baselines

• Configure EDR to alert on unusual network connections from non-standard devices.
• Monitor for camera-to-server traffic that deviates from normal patterns (e.g., large file transfers).

Device Inventory & Continuous Monitoring

• Use a network discovery tool (e.g., Nmap, Shodan, or a commercial solution) to maintain a real-time inventory of all connected devices.
• Integrate IoT device data into your SIEM or vulnerability management platform.

Checklist for CISOs

Action	Priority	Status
Patch Confluence to >=8.3.4	Critical	☐
Patch Video Station to >=5.7.0	Critical	☐
Segment IoT devices onto separate VLAN	High	☐
Enable application allowlisting on servers	High	☐
Update EDR to include behavioral baselines	Medium	☐
Conduct full network device inventory	High	☐

Assessing Your Portfolio’s Exposure

Brokers and underwriters need tools to quickly evaluate whether an insured is exposed to this attack vector. Resiliently offers two capabilities that directly address the Akira webcam threat.

Domain Exposure Checker

Our Domain Exposure Checker scans your insured’s public-facing infrastructure for unpatched CVEs, including CVE-2023-22515 (Confluence) and CVE-2023-34976 (Video Station). Within seconds, you can see if a policyholder has a known vulnerability that Akira could exploit.

Scan your domain for Akira-related CVEs →

Broker Scorecard

The Broker Scorecard benchmarks an insured’s security controls against industry standards, including IoT segmentation, patch cadence, and EDR coverage. It provides a single risk score that helps you compare portfolios and negotiate better terms.

Compare your portfolio against industry benchmarks →

Aligning with Regulatory Frameworks

For EU-based insureds, the NIS2 Directive requires incident reporting within 24 hours and mandates supply chain security. The Akira webcam attack could constitute a reportable incident if it affects critical infrastructure. Resiliently’s NIS2 tools help you map controls to regulatory requirements and demonstrate due diligence.

Similarly, DORA (Digital Operational Resilience Act) for financial entities demands robust ICT risk management, including asset management and third-party risk. The Akira attack highlights the need to include IoT devices in business continuity planning. GDPR implications arise if cameras capture personal data—a breach could trigger notification obligations.

The Bottom Line for Insurability

The Akira webcam deployment is more than a novel technique—it’s a paradigm shift. Insurers will increasingly ask: Do you know what’s on your network? If the answer is no, or if IoT devices are unmanaged, expect higher premiums, broader exclusions, or outright declinations.

Proactive scanning, segmentation, and application allowlisting are no longer optional. They are table stakes for maintaining insurability in a world where attackers weaponize every connected device.

For brokers: Use the Domain Exposure Checker to identify high-risk insureds before renewal. Use the Broker Scorecard to justify rate adjustments.

For CISOs: Implement the checklist above. Document your IoT segmentation and patch status. When your underwriter asks, have the evidence ready.

Don’t let a webcam become a claim trigger. Assess your exposure today.

Run a free Domain Exposure Scan →

Download the Akira mitigation checklist for IoT/OT devices →

Talk to an underwriter about adjusting policy terms based on camera exposure →