Tuesday, May 6, 2025
HomeCyber Security NewsHackers Use Fog Ransomware To Attack SonicWall VPNs And Breach Corporate Networks

Hackers Use Fog Ransomware To Attack SonicWall VPNs And Breach Corporate Networks

Published on

SIEM as a Service

Follow Us on Google News

Recent cyberattacks involving Akira and Fog threat actors have targeted various industries, exploiting a vulnerability (CVE-2024-40766) in SonicWall SSL VPN devices, where these attacks, initiated early in the kill chain, leverage malicious VPN logins from VPS-hosted IP addresses. 

The rapid escalation from initial access to ransomware encryption, often within the same day, highlights the urgency of patching vulnerable systems.

Shared infrastructure across multiple intrusions suggests coordinated attacks.

- Advertisement - Google News

To reduce the impact of these threats, it is essential to implement timely detection and prevention strategies, such as monitoring for suspicious VPN logins from shared IP addresses.

Protecting Your Networks & Endpoints With UnderDefense MDR – Request Free Demo

While the specific vulnerability CVE-2024-40766 hasn’t been definitively linked to these attacks, the affected SonicWall devices were vulnerable to it, which suggests that threat actors may be exploiting weaknesses in SonicWall devices to gain initial access. 

The investigations reveal a significant rise in ransomware attacks targeting SonicWall firewalls since August 2024.

These attacks, primarily utilizing Akira and Fog ransomware, exploit vulnerabilities in SSL VPNs to gain initial access. 

The rapid escalation of these attacks, with encryption occurring within hours, underscores the critical need for organizations to prioritize the security of their SonicWall firewalls and implement robust security measures to mitigate the risks associated with ransomware.

Initial access to victim environments was facilitated through compromised SonicWall SSL VPN accounts, often local to the devices and lacking MFA, which were exploited by threat actors who leveraged vulnerabilities like CVE-2024-40766 or brute-force attacks. 

Malicious logins frequently originated from VPS providers and were associated with ransomware groups like Akira. The deletion of firewall logs often marked successful intrusions to hinder investigation efforts.

The ransomware attacks have demonstrated a rapid escalation, with data encryption occurring within hours of initial access as threat actors have prioritized virtual machines and their backups for encryption. 

Exfiltration activities have targeted sensitive data, such as human resources and accounting documents, with up to 30 months of data being stolen, while less sensitive data, like general files and applications, has been exfiltrated for shorter periods.

Recent investigations conducted by Arctic Wolf have revealed an increase in ransomware attacks known as Fog and Akira that target environments that use SonicWall SSL VPN services. 

While definitive proof of exploitation of vulnerabilities like CVE-2024-40766 is lacking, compromised VPN credentials, possibly obtained through data breaches, are suspected.

The threat actors’ tactics have evolved, including rapid data exfiltration and expanding target sectors beyond education. 

Defenders are required to prioritize firmware updates, monitor VPN logins, maintain secure backups, and actively monitor for post-compromise activities in order to reduce the likelihood of these risks occurring.

Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

BFDOOR Malware Targets Organizations to Establish Long-Term Persistence

The BPFDoor malware has emerged as a significant threat targeting domestic and international organizations,...

Uncovering the Security Risks of Data Exposure in AI-Powered Tools like Snowflake’s CORTEX

As artificial intelligence continues to reshape the technological landscape, tools like Snowflake’s CORTEX Search...

UNC3944 Hackers Shift from SIM Swapping to Ransomware and Data Extortion

UNC3944, a financially-motivated threat actor also linked to the group known as Scattered Spider,...

Over 2,800 Hacked Websites Targeting MacOS Users with AMOS Stealer Malware

Cybersecurity researcher has uncovered a massive malware campaign targeting MacOS users through approximately 2,800...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

BFDOOR Malware Targets Organizations to Establish Long-Term Persistence

The BPFDoor malware has emerged as a significant threat targeting domestic and international organizations,...

Uncovering the Security Risks of Data Exposure in AI-Powered Tools like Snowflake’s CORTEX

As artificial intelligence continues to reshape the technological landscape, tools like Snowflake’s CORTEX Search...

UNC3944 Hackers Shift from SIM Swapping to Ransomware and Data Extortion

UNC3944, a financially-motivated threat actor also linked to the group known as Scattered Spider,...