By taking use of the crucial CVE-2024-40766 vulnerability that was just discovered in SonicWall’s SSL VPN technology, the ransomware gangs Fog and Akira are attempting to breach corporate networks by targeting SonicWall VPNs. This vulnerability was found and fixed in August 2024, but some businesses have not yet implemented the required changes, therefore it still poses a risk.
More than 30 corporate compromises have been connected to this vulnerability, impacting businesses all around the world, according to security specialists at Arctic Wolf. Akira affiliates are mostly involved in these breaches; 75% of reported intrusions are linked to Akira, with the remaining attacks being caused by Fog ransomware. The fact that both parties appear to employ the same infrastructure points to a continuing partnership.
In these cases, hackers used out-of-date SonicWall VPN accounts to gain access to weak networks. The threat actors acted swiftly after signing in, occasionally encrypting important data in as little as two hours.
In an effort to inflict as much disturbance as possible, Arctic Wolf discovered that these quick attacks mostly targeted backups and virtual machines. These attacks are more likely to occur because compromised firms frequently maintained their VPN services on the default port, 4433. Multi-factor authentication (MFA) was not enabled in any of the incursions.
Arctic Wolf’s study of the logs shed more light on the development of these breaches. Attackers’ access points were identified by events with the labels “WAN zone remote user login allowed” (ID 238) and “SSL VPN zone remote user login allowed” (ID 1080). Once inside, the attackers successfully completed the IP assignments and login, according to additional event logs (ID 1079).
Attackers frequently ignored data older than six months and concentrated mostly on newer papers. However, the threshold was raised to 30 months for more sensitive material.
Launched in May 2024, the fog ransomware is still spreading, and its affiliates frequently utilize compromised VPN credentials. Although there were recent issues with its Tor website, Akira has subsequently started functioning again.
Around 168,000 SonicWall endpoints worldwide, according to Japanese researcher Yutaka Sejiyama, are still susceptible to CVE-2024-40766. This highlights how urgent it is for businesses to fix their systems and put security measures like MFA in place.
150 million ransomware delivery attempts were made against SonicWall in the first half of 2023, which saw similar attacks. In the past, Akira has also taken advantage of Cisco VPN products.
Akira and Fog Ransomware Take Advantage of a SonicWall VPN Vulnerability Details
