Summary:
Fog and Akira ransomware groups are actively exploiting a critical vulnerability, CVE-2024-40766, in SonicWall SSL VPNs to gain unauthorized access to corporate networks. This flaw, found in SonicOS, affects access controls within SSL VPNs, allowing attackers to bypass security and compromise networks remotely. Despite a patch issued by SonicWall in late August 2024, the vulnerability has continued to be actively exploited. A report from Arctic Wolf security researchers reveals that Akira and Fog ransomware operations have launched at least 30 attacks using compromised SonicWall VPN accounts, with 75% of these breaches attributed to Akira. The report also indicates that Fog and Akira appear to share operational infrastructure, suggesting an unofficial alliance, which Sophos had previously documented.

These attacks are characterized by rapid data encryption post-intrusion, with some incidents occurring within ten hours and, in the fastest cases, only 1.5 to 2 hours. Attackers often use VPN or VPS connections to mask their IP addresses, further complicating detection. Arctic Wolf's analysis highlights that many of the breached organizations had unpatched SonicWall endpoints, lacked multi-factor authentication on VPN accounts, and left services exposed on the default port 4433, providing a simpler pathway for attackers. In cases where firewall logs were available, certain event IDs—238 and 1080 (indicating remote login from the WAN or SSL VPN zones)—were noted, followed by multiple INFO messages (event ID 1079) confirming successful login and IP allocation. Once inside the network, the attackers focused on rapid encryption, primarily targeting virtual machines and backups. They selectively encrypted recent files, generally ignoring documents older than six months but extending this to 30 months for particularly sensitive data, thus maximizing the impact of stolen information.

Security Officer Comments:
Fog ransomware, a relatively new actor launched in May 2024, typically relies on compromised VPN credentials for network access. Akira, a more seasoned group, has recently encountered issues with Tor accessibility but is gradually restoring their online presence. Notably, security researcher Yutaka Sejiyama reported that approximately 168,000 SonicWall endpoints remain vulnerable to CVE-2024-40766 and exposed to the internet. Sejiyama also indicated that Black Basta, another notorious ransomware group, may also be leveraging this vulnerability, suggesting that the flaw could be exploited by multiple ransomware operators across various campaigns.


Suggested Corrections:
To effectively protect against these and other emerging ransomware threats, defenders should prioritize keeping firmware up to date on perimeter network appliances, monitoring for VPN logins from hosting providers that are not expected in their environments, ensuring that secure off-site backups are in place, and monitoring for common post-compromise activities across endpoints.


Link(s):
https://www.bleepingcomputer.com/ne...-sonicwall-vpns-to-breach-corporate-networks/


https://arcticwolf.com/resources/bl...somware-activity-linked-to-sonicwall-ssl-vpn/