30 October 2024

Akira and Fog ransomware exploit SonicWall VPN bug to breach corporate networks


Akira and Fog ransomware exploit SonicWall VPN bug to breach corporate networks

Akira and Fog ransomware operations are increasingly exploiting a high-risk vulnerability affecting SonicWall VPN accounts to access corporate networks.

Tracked as CVE-2024-40766, the flaw is an improper access control issue that allows attackers to bypass access restrictions. SonicWall released a patch for this SonicOS flaw in late August 2024. Shortly after, the company alerted users that the vulnerability was actively under attack.

According to a recent Arctic Wolf report, to date, Akira and Fog ransomware have orchestrated over 30 attacks using compromised SonicWall VPN accounts, of which about 75% are attributed to Akira ransomware, while Fog ransomware is linked to the remaining cases. Based on some evidence it appears that the two ransomware operations share certain infrastructure.

Arctic Wolf researchers note that while they can’t definitively confirm CVE-2024-40766 was used in each instance, all compromised endpoints had older, unpatched SonicWall VPN versions, making them vulnerable. In many cases, the interval between initial access and data encryption was about ten hours on average, with the fastest cases reaching as little as 1.5 to 2 hours.

Most attacks saw threat actors accessing endpoints via VPN or VPS services to conceal their real IP addresses. The compromised organizations typically had not implemented multi-factor authentication (MFA) on their SSL VPN accounts and had left services running on the default port 4433, Arctic Wolf noted.

Once inside, the attackers quickly moved to encrypt data, focusing on virtual machines and their backups. Fog ransomware, which launched in May 2024, often uses compromised VPN credentials for network access, a technique shared by its more established counterpart Akira. However, Akira has faced recent challenges with Tor website access for its operations, as reported by BleepingComputer.

According to Japanese security researcher Yutaka Sejiyama, approximately 168,000 SonicWall endpoints remain exposed and vulnerable to CVE-2024-40766 as of this week. Sejiyama also suggested that Black Basta ransomware might be using the same flaw.


Back to the list

Latest Posts

Large-scale phishing campaign targeting Ukraine's taxpayers

Large-scale phishing campaign targeting Ukraine's taxpayers

The attack deploys the Litemanager RMT, which provides unauthorized access to the infected computer.
30 October 2024
Ongoing malvertising campaign hijacks Facebook accounts to distribute SYS01Stealer malware

Ongoing malvertising campaign hijacks Facebook accounts to distribute SYS01Stealer malware

Threat actors use Meta’s platform to promote fake advertisements for popular software tools.
30 October 2024
Akira and Fog ransomware exploit SonicWall VPN bug to breach corporate networks

Akira and Fog ransomware exploit SonicWall VPN bug to breach corporate networks

In many cases, the interval between initial access and data encryption was about ten hours on average.
30 October 2024