Escalating Threat: Akira and Fog Ransomware Exploiting SonicWall VPN Flaw to Breach Corporate Networks
Corporate networks are facing increased ransomware risks from Akira and Fog operators, who have been exploiting SonicWall VPN accounts through CVE-2024-40766, a critical SSL VPN access control flaw. This vulnerability has opened the door for unauthorized access, significantly impacting organizations that have yet to apply the latest security patch.
The SonicWall Vulnerability: Fast-Tracked Exploitation
SonicWall patched the CVE-2024-40766 vulnerability in August 2024. Within a week of the patch release, SonicWall warned of active exploitation, highlighting the quick response by threat actors to leverage this flaw. Research from Arctic Wolf indicates that Akira ransomware affiliates wasted no time in using the vulnerability to gain initial access to target networks.
30 Documented Attacks and Growing Collaboration Between Akira and Fog
According to Arctic Wolf, Akira and Fog ransomware groups have carried out at least 30 network intrusions using this vulnerability, with 75% attributed to Akira and the remaining attacks linked to Fog ransomware. These attacks were facilitated by compromised SonicWall VPN credentials, which provided the initial entry point. Evidence suggests that both groups are sharing infrastructure, continuing a collaboration first documented by Sophos.
While not all breaches definitively exploited this specific flaw, Arctic Wolf confirms that each compromised endpoint was unpatched and vulnerable to CVE-2024-40766.
Swift Attack Timeline and IP Masking
The speed of these attacks has been alarming. In most cases, attackers moved from initial access to data encryption within 10 hours, with some instances completed in just 1.5 to 2 hours. Attackers often used VPN or VPS services to obscure their IP addresses, making it difficult for defenders to trace the origin of the intrusion.
Arctic Wolf notes two primary weaknesses that made these attacks possible:
- Outdated SonicWall VPN software, left unpatched.
- Lack of multi-factor authentication (MFA) on SSL VPN accounts, combined with the use of the default port (4433).
Key Indicators in Attack Logs
In cases where firewall logs were available, specific event IDs pointed to the threat actors’ activity:
- Event ID 238 (WAN zone remote user login allowed).
- Event ID 1080 (SSL VPN zone remote user login allowed).
Following these, SSL VPN INFO logs (event ID 1079) indicated that login and IP assignments had successfully completed, enabling the attackers to proceed to further stages of the attack.
Data Theft and Encryption Patterns
The ransomware operators exhibited a targeted approach, focusing primarily on encrypting virtual machines and backup systems. Their data theft tactics centered on files with high immediate value: general files younger than six months, and sensitive files up to 30 months old. This selective approach allowed them to reduce encryption time while maximizing the impact on recent, relevant data.
Fog Ransomware’s Rise Since Launch
Launched in May 2024, Fog ransomware has swiftly gained traction. Its affiliates mirror the tactics used by Akira, frequently using compromised VPN credentials as a primary access point. This trend underscores the risks posed by unprotected VPN endpoints, especially in the face of coordinated ransomware groups.
Mitigation and Prevention Steps
Organizations should prioritize applying the latest patches for VPN vulnerabilities and configuring strong security practices, such as enabling multi-factor authentication. These preventative steps are increasingly critical as sophisticated ransomware operations like Akira and Fog expand their reach, leveraging even minor security gaps for substantial impact on vulnerable networks.
Source:bleepingcomputer.com
No comments:
Post a Comment