Trending

News

Fog ransomware exploits SonicWall VPN vulnerabilities to infiltrate corporate networks.

SonicWall
Listen to this article

Fog and Akira ransomware groups are increasingly infiltrating corporate networks through SonicWall VPN accounts, reportedly exploiting CVE-2024-40766, a critical vulnerability in SSL VPN access control.

SonicWall addressed this SonicOS vulnerability in late August 2024, issuing a warning just a week later about active exploitation in progress.

Meanwhile, Arctic Wolf security researchers observed Akira ransomware affiliates using this flaw to establish initial access to targeted networks.

A recent report from Arctic Wolf reveals that Akira and Fog ransomware groups have carried out at least 30 intrusions, each beginning with remote access via SonicWall VPN accounts.

Of these incidents, 75% are attributed to Akira, while the remainder involve Fog ransomware operations.

Notably, the two groups appear to share infrastructure, indicating an ongoing informal collaboration, as previously noted by Sophos.

Although researchers are not entirely certain that the vulnerability was exploited in every instance, all compromised endpoints were running an outdated, unpatched version susceptible to the flaw.

In most instances, the time from the initial breach to data encryption was brief, averaging around ten hours and, in some cases, as quick as 1.5 to 2 hours.

During many of these attacks, the attackers accessed endpoints via VPN or VPS, masking their real IP addresses.

Arctic Wolf reports that, beyond running unpatched systems, the compromised organizations often lacked multi-factor authentication on the affected SSL VPN accounts and operated their services on the default port 4433.

“In intrusions where firewall logs were available, message event ID 238 (WAN zone remote user login allowed) or message event ID 1080 (SSL VPN zone remote user login allowed) was observed,” stated Arctic Wolf.

“Following these entries, several SSL VPN INFO log messages (event ID 1079) confirmed that login and IP assignment had been completed.”

The attackers launched swift encryption attacks in the following stages, primarily targeting virtual machines and their backups.

Data theft involved documents and proprietary software, though the attackers generally ignored files older than six months, or up to 30 months for highly sensitive files.

Launched in May 2024, Fog ransomware is a growing operation whose affiliates typically leverage compromised VPN credentials for initial access.

As noted by BleepingComputer, Akira, a more established entity in the ransomware landscape, recently experienced issues with Tor website access; however, these sites are now gradually coming back online.
Cyberkitera

Cyberkitera is a premier cybersecurity publishing platform dedicated to providing the latest insights, expert security tips, and news across all areas of cybersecurity. Our mission is to empower individuals and businesses with knowledge to prevent cyber threats, stay informed about emerging trends, and safeguard their digital assets. From industry updates to practical advice on protecting against cyber attacks, Cyberkitera is your trusted source for staying ahead in the ever-evolving world of cybersecurity.

view all posts

Related Posts

Post Comment

You May Have Missed