Fog and Akira Ransomware Operations Exploit SonicWall VPNs for Network Infiltration

October 27, 2024

Ransomware groups Fog and Akira are reportedly exploiting SonicWall VPNs to infiltrate corporate networks. The threat actors are believed to be leveraging a critical SSL VPN access control flaw, CVE-2024-40766. SonicWall patched this flaw in SonicOS in late August 2024, but it was already under active exploitation within a week. Arctic Wolf's security researchers have reported that Akira ransomware affiliates are using this flaw to gain initial access to victim networks.

A new Arctic Wolf report warns that Akira and Fog ransomware operations have conducted at least 30 intrusions, all of which began with remote access to a network via SonicWall VPN accounts. 75% of these cases have been attributed to Akira, with the rest linked to Fog ransomware operations. Interestingly, the two threat groups appear to share infrastructure, suggesting an ongoing unofficial collaboration.

While it's not confirmed that the flaw was exploited in every case, all breached endpoints were vulnerable to it, running an outdated, unpatched version. The time from intrusion to data encryption was typically short, sometimes as quick as 1.5-2 hours. In many instances, the threat actors accessed the endpoint via VPN/VPS, masking their real IP addresses.

Arctic Wolf points out that besides operating unpatched endpoints, compromised organizations often had not enabled multi-factor authentication on the compromised SSL VPN accounts and were running their services on the default port 4433. The threat actors engaged in rapid encryption attacks primarily targeting virtual machines and their backups. They stole data from breached systems, including documents and proprietary software, but did not bother with files older than six months, or 30 months for more sensitive files.

Fog ransomware, launched in May 2024, is an emerging operation whose affiliates tend to use compromised VPN credentials for initial access. Akira, a more established player in the ransomware arena, has recently faced issues with accessing its Tor website, but these are gradually being resolved.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.