Fog ransomware targets SonicWall VPNs to breach corporate networks

Fog and Akira ransomware operators are increasingly infiltrating corporate networks via SonicWall VPN accounts, with these threat actors believed to be exploiting CVE-2024-40766, a significant SSL VPN access control vulnerability. SonicWall addressed this SonicOS vulnerability in late August 2024, and approximately one week later, issued a warning regarding its active exploitation. Concurrently, Arctic Wolf security researchers reported that Akira ransomware affiliates were utilizing this flaw to gain initial access to targeted networks.

A recent report from Arctic Wolf indicates that both Akira and Fog ransomware operations have executed at least 30 intrusions, all initiated through remote access to networks via SonicWall VPN accounts. Of these incidents, 75% are associated with Akira, while the remaining cases are linked to Fog ransomware operations. Notably, the two threat groups seem to share infrastructure, suggesting an ongoing unofficial collaboration, as previously noted by Sophos.

Although researchers cannot confirm that the vulnerability was exploited in every instance, all compromised endpoints were susceptible, operating on outdated, unpatched versions. In many cases, the duration from intrusion to data encryption was brief, averaging around ten hours, with some instances occurring within 1.5 to 2 hours. The threat actors often accessed the endpoints through VPN/VPS, effectively concealing their actual IP addresses.

Arctic Wolf highlights that, in addition to utilizing unpatched endpoints, the affected organizations did not appear to have implemented multi-factor authentication on the compromised SSL VPN accounts and were operating their services on the default port 4433. “In intrusions where firewall logs were captured, message event ID 238 (WAN zone remote user login allowed) or message event ID 1080 (SSL VPN zone remote user login allowed) were observed,” states Arctic Wolf. “Following one of these messages, several SSL VPN INFO log messages (event ID 1079) indicated that login and IP assignment had been successfully completed.” In the subsequent phases, the situation continued to evolve.

About the Author

You may also like these

No Related Post