Fog and Akira ransomware operators are increasingly breaching corporate networks by exploiting vulnerabilities in SonicWall VPN accounts. These attacks primarily target a critical SSL VPN access control flaw known as CVE-2024-40766. Despite SonicWall issuing a fix for this vulnerability in late August 2024, threat actors were reported to be actively exploiting it within a week of the patch’s release. A recent report from Arctic Wolf has revealed that at least 30 intrusions linked to these two ransomware groups have occurred, with 75% of the incidents attributed to Akira and the remaining 25% to Fog. The report highlights a concerning trend of collaboration between these threat actors, who appear to share infrastructure to enhance their attack capabilities.
Arctic Wolf’s findings indicate that the compromised organizations generally failed to implement multi-factor authentication on their SonicWall SSL VPN accounts, leaving them vulnerable to attacks. Additionally, many of the breached systems were running older, unpatched software versions that were susceptible to the identified flaw. In most cases, the time from initial intrusion to data encryption was alarmingly short, averaging around ten hours, with some attacks executing encryption in as little as 1.5 to 2 hours. This rapid timeline underscores the urgency for organizations to strengthen their security postures against such vulnerabilities.
The intrusion process often began with threat actors gaining remote access to the networks via compromised VPN credentials, effectively masking their true IP addresses. Arctic Wolf noted that in instances where firewall logs were collected, specific event IDs indicated successful remote user logins, followed by SSL VPN connection confirmations. Following these logins, the attackers engaged in swift encryption processes that primarily targeted virtual machines and their backups. In addition to data encryption, the threat actors exfiltrated sensitive documents and proprietary software, typically avoiding files that were older than six months.
Launched in May 2024, Fog ransomware has emerged as a significant player in the ransomware landscape, primarily relying on compromised VPN credentials for initial access. Meanwhile, Akira, a more established ransomware group, has faced recent challenges with its Tor website access, but those issues appear to be stabilizing. In a concerning update, researcher Yutaka Sejiyama revealed that approximately 168,000 SonicWall endpoints are currently exposed to CVE-2024-40766, further highlighting the urgent need for organizations to patch their systems and implement stronger security measures to protect against these ongoing ransomware threats.
