Fog Ransomware Targets SonicWall VPNs, Breaches Corporate Networks

Recent ransomware attacks, including Fog and Akira, have leveraged compromised SonicWall SSL VPN accounts for initial access. While the targeted industries vary, the attacks appear opportunistic.

SonicWall devices vulnerable to CVE-2024-40766, even if not directly exploited, have been implicated, while maintaining up-to-date firmware and external log monitoring are crucial to mitigating risks. 

Akira and Fog ransomware attacks, particularly since August 2024, have targeted SonicWall firewall environments, exploiting vulnerabilities and compromising SSL VPNs to rapidly deploy ransomware payloads within hours.

The SonicWall devices were vulnerable to CVE-2024-40766 exploitation, and malicious login attempts from VPS providers were detected, indicating potential compromise attempts, although definitive remote code execution evidence was not found. 

Akira ransomware actors leveraged VPS IP addresses associated with Fog intrusions to compromise victim networks through SonicWall VPNs, exploiting vulnerabilities in hosting providers AS64236 (UnReal Servers, LLC) and AS32613 (Leaseweb Canada Inc.). 

Compromised SonicWall SSL VPN accounts lacked integration with centralized authentication and MFA, making them vulnerable to attacks exploiting local device credentials.

Threat actors exploited vulnerable SSL VPN services on default port 4433, successfully logging into victim organizations’ networks, as indicated by firewall logs (event IDs 238 and 1080). Post-intrusion, they prioritized deleting firewall logs to conceal their activities. 

The cyberattacks involving Fog revealed rapid data encryption, with some incidents taking several hours from initial access. Threat actors prioritized virtual machines and their backups for encryption.

Ransomware affiliates prioritized exfiltration of sensitive data, such as HR and accounts payable documents, retaining up to 30 months of data while limiting exfiltration of less sensitive data to a maximum of six months.

SonicWall SSL VPN environments were compromised via Fog and Akira ransomware, possibly exploiting CVE-2024-40766 or leveraging compromised credentials, as visibility gaps hindered analysis, emphasizing the need to prioritize vulnerability remediation.

According to Arctic Wolf, the Fog and Akira ransomware attacks demonstrate increased sophistication and aggressiveness, targeting diverse sectors, rapidly compromising SSL VPNs, encrypting VM storage, and exfiltrating sensitive data to maximize ransom potential, leaving limited response time for defenders.

As ransomware threats continue to evolve, it is important to ensure that network devices are kept up to date, that VPN logins are monitored, that off-site backups are protected, and that endpoints are scanned for suspicious activity.

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here