Fog ransomware targets SonicWall VPNs to breach corporate networks

Fog and Akira ransomware operators are increasingly breaching corporate networks through SonicWall VPN accounts, with the threat actors believed to be exploiting CVE-2024-40766, a critical SSL VPN access control flaw.

SonicWall fixed the SonicOS flaw in late August 2024, and roughly a week later, it warned that it was already under active exploitation.

At the same time, Arctic Wolf security researchers reported seeing Akira ransomware affiliates leveraging the flaw to gain initial access to victim networks.

In most cases, the time from intrusion to data encryption was short, at about ten hours, even reaching 1.5-2 hours on the quickest occasions.

In many of these attacks, the threat actors accessed the endpoint via VPN/VPS, obfuscating their real IP addresses.

Arctic Wolf notes that apart from operating unpatched endpoints, compromised organizations did not appear to have enabled multi-factor authentication on the compromised SSL VPN accounts and run their services on the default port 4433. Read the full story.

Rajesh Dhawan

Rajesh Dhawan is a technology professional who loves to write about Cyber-security events and stories, Cloud computing and Microsoft technologies. He loves to break complex problems into manageable chunks of meaningful information.