SonicWall

Fog and Akira ransomware operators are increasingly breaching corporate networks through SonicWall VPN accounts, with the threat actors believed to be exploiting CVE-2024-40766, a critical SSL VPN access control flaw.

SonicWall fixed the SonicOS flaw in late August 2024, and roughly a week later, it warned that it was already under active exploitation.

At the same time, Arctic Wolf security researchers reported seeing Akira ransomware affiliates leveraging the flaw to gain initial access to victim networks.

A new report by Arctic Wolf warns that Akira and the Fog ransomware operation have conducted at least 30 intrusions that all started with remote access to a network through SonicWall VPN accounts.

Of these cases, 75% are linked to Akira, with the rest attributed to Fog ransomware operations.

Interestingly, the two threat groups appear to share infrastructure, which shows the continuation of an unofficial collaboration between the two, as previously documented by Sophos.

While the researchers aren't 100% positive the flaw was used in all cases, all of the breached endpoints were vulnerable to it, running an older, unpatched version.

In most cases, the time from intrusion to data encryption was short, at about ten hours, even reaching 1.5-2 hours on the quickest occasions.

In many of these attacks, the threat actors accessed the endpoint via VPN/VPS, obfuscating their real IP addresses.

Arctic Wolf notes that apart from operating unpatched endpoints, compromised organizations did not appear to have enabled multi-factor authentication on the compromised SSL VPN accounts and run their services on the default port 4433.

"In intrusions where firewall logs were captured, message event ID 238 (WAN zone remote user login allowed) or message event ID 1080 (SSL VPN zone remote user login allowed) were observed," explains Artic Wolf.

"Following one of these messages, there were several SSL VPN INFO log messages (event ID 1079) indicating that login and IP assignment had completed successfully."

In the subsequent stages, the threat actors engaged in rapid encryption attacks targeting mainly virtual machines and their backups.

Data theft from breached systems involved documents and proprietary software, but the threat actors didn't bother with files that were older than six months, or 30 months old for more sensitive files.

Launched in May 2024, Fog ransomware is a growing operation whose affiliates tend to use compromised VPN credentials for initial access.

Akira, a far more established player in the ransomware space, has recently had Tor website access problems, as observed by BleepingComputer, but those are gradually returning online now.

Update 10/28: Japanese researcher Yutaka Sejiyama reports that ther are approximately 168,000 SonicWall endpoints vulnerable to CVE-2024-40766 right now, exposed to the internet.

Sejiyama also told BleepingComputer he has indications that Black Basta ransomware may also be leveraging the same flaw in attacks.

Related Articles:

Palo Alto Networks warns of potential PAN-OS RCE vulnerability

Cisco fixes VPN DoS flaw discovered in password spray attacks

Akira and Fog ransomware now exploit critical Veeam RCE flaw

CISA warns of more Palo Alto Networks bugs exploited in attacks

FBI, CISA, and NSA reveal most exploited vulnerabilities of 2023