Fog and Akira Ransomware Targets Corporate Networks via SonicWall VPNs Flaws

• Fog and Akira ransomware gangs compromise corporate networks via SonicWall VPN account flaws exploits.
• From at least 30 intrusions linked to this vulnerability, three-quarters are attributed to these two ransomware groups.
• SonicWall addressed it with a fix in August 2024, but the SSL VPN access control flaw is still abused.

Fog and Akira ransomware operators have exploited vulnerabilities in SonicWall VPN accounts to breach corporate networks. This critical issue centers around CVE-2024-40766, an SSL VPN access control flaw. 

SonicWall addressed it with a fix in August 2024, but within just a week of the patch, active exploitation was detected.

Security firm Arctic Wolf has reported at least 30 intrusions linked to this vulnerability, with 75% attributed to Akira and the remainder to Fog ransomware. These threat actors are believed to share infrastructure, highlighting a continued unofficial collaboration previously noted by cybersecurity company Sophos.

The rapidity of these breaches is particularly alarming, with data encryption occurring within 10 hours of intrusion—sometimes even faster. The attackers have been accessing networks through VPN/VPS, effectively concealing their true IP addresses.

One concerning aspect of these breaches is that many affected organizations had not enabled multi-factor authentication on their SSL VPN accounts. Furthermore, they were operating unpatched endpoints and running services on the default port 4433, which significantly heightened their vulnerability.

Arctic Wolf's analysis reveals key indicators of these intrusions, such as message event IDs 238 and 1080, which signify remote user login allowances, followed by SSL VPN INFO log messages confirming login success.

Post-intrusion activities include rapid encryption, primarily targeting virtual machines and their backups. Data theft focused on documents and proprietary software, largely ignoring files older than six months or more than 30 months for sensitive data.

Fog ransomware, launched in May 2024, is increasingly using compromised VPN credentials for initial access. Meanwhile, Akira continues to be a formidable force in the ransomware landscape despite recent Tor site accessibility issues, which are now being resolved.

Organizations are urged to prioritize patch management and implement robust security measures, including multi-factor authentication, to safeguard against such sophisticated ransomware threats.

This month, reports said Akira and Fog ransomware attacks are actively exploiting a critical security vulnerability in Veeam Backup & Replication (VBR) servers, enabling remote code execution (RCE). This vulnerability, identified as CVE-2024-40711, poses a significant threat to organizations utilizing Veeam's data protection solutions.

Akira Ransomware targeted over 250 businesses and critical infrastructure entities in North America, Europe, and Australia. Fog Ransomware has been heavily targeting higher educational institutions in the US by exploiting compromised VPNs.