Akira and Fog ransomware operations are increasingly exploiting a high-risk vulnerability affecting SonicWall VPN accounts to access corporate networks.
Tracked as CVE-2024-40766, the flaw is an improper access control issue that allows attackers to bypass access restrictions. SonicWall released a patch for this SonicOS flaw in late August 2024. Shortly after, the company alerted users that the vulnerability was actively under attack.
According to a recent Arctic Wolf report, to date, Akira and Fog ransomware have orchestrated over 30 attacks using compromised SonicWall VPN accounts, of which about 75% are attributed to Akira ransomware, while Fog ransomware is linked to the remaining cases. Based on some evidence it appears that the two ransomware operations share certain infrastructure.
Arctic Wolf researchers note that while they can’t definitively confirm CVE-2024-40766 was used in each instance, all compromised endpoints had older, unpatched SonicWall VPN versions, making them vulnerable. In many cases, the interval between initial access and data encryption was about ten hours on average, with the fastest cases reaching as little as 1.5 to 2 hours.
Most attacks saw threat actors accessing endpoints via VPN or VPS services to conceal their real IP addresses. The compromised organizations typically had not implemented multi-factor authentication (MFA) on their SSL VPN accounts and had left services running on the default port 4433, Arctic Wolf noted.
Once inside, the attackers quickly moved to encrypt data, focusing on virtual machines and their backups. Fog ransomware, which launched in May 2024, often uses compromised VPN credentials for network access, a technique shared by its more established counterpart Akira. However, Akira has faced recent challenges with Tor website access for its operations, as reported by BleepingComputer.
According to Japanese security researcher Yutaka Sejiyama, approximately 168,000 SonicWall endpoints remain exposed and vulnerable to CVE-2024-40766 as of this week. Sejiyama also suggested that Black Basta ransomware might be using the same flaw.