Hackers Use Fog Ransomware To Attack SonicWall VPNs And Breach Corporate Networks

Recent cyberattacks involving Akira and Fog threat actors have targeted various industries, exploiting a vulnerability (CVE-2024-40766) in SonicWall SSL VPN devices, where these attacks, initiated early in the kill chain, leverage malicious VPN logins from VPS-hosted IP addresses. 

The rapid escalation from initial access to ransomware encryption, often within the same day, highlights the urgency of patching vulnerable systems.

Shared infrastructure across multiple intrusions suggests coordinated attacks.

- Advertisement -

To reduce the impact of these threats, it is essential to implement timely detection and prevention strategies, such as monitoring for suspicious VPN logins from shared IP addresses.

Protecting Your Networks & Endpoints With UnderDefense MDR – Request Free Demo

While the specific vulnerability CVE-2024-40766 hasn’t been definitively linked to these attacks, the affected SonicWall devices were vulnerable to it, which suggests that threat actors may be exploiting weaknesses in SonicWall devices to gain initial access. 

The investigations reveal a significant rise in ransomware attacks targeting SonicWall firewalls since August 2024.

These attacks, primarily utilizing Akira and Fog ransomware, exploit vulnerabilities in SSL VPNs to gain initial access. 

The rapid escalation of these attacks, with encryption occurring within hours, underscores the critical need for organizations to prioritize the security of their SonicWall firewalls and implement robust security measures to mitigate the risks associated with ransomware.

Initial access to victim environments was facilitated through compromised SonicWall SSL VPN accounts, often local to the devices and lacking MFA, which were exploited by threat actors who leveraged vulnerabilities like CVE-2024-40766 or brute-force attacks. 

Malicious logins frequently originated from VPS providers and were associated with ransomware groups like Akira. The deletion of firewall logs often marked successful intrusions to hinder investigation efforts.

The ransomware attacks have demonstrated a rapid escalation, with data encryption occurring within hours of initial access as threat actors have prioritized virtual machines and their backups for encryption. 

Exfiltration activities have targeted sensitive data, such as human resources and accounting documents, with up to 30 months of data being stolen, while less sensitive data, like general files and applications, has been exfiltrated for shorter periods.

Recent investigations conducted by Arctic Wolf have revealed an increase in ransomware attacks known as Fog and Akira that target environments that use SonicWall SSL VPN services. 

While definitive proof of exploitation of vulnerabilities like CVE-2024-40766 is lacking, compromised VPN credentials, possibly obtained through data breaches, are suspected.

The threat actors’ tactics have evolved, including rapid data exfiltration and expanding target sectors beyond education. 

Defenders are required to prioritize firmware updates, monitor VPN logins, maintain secure backups, and actively monitor for post-compromise activities in order to reduce the likelihood of these risks occurring.

Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!