Analysis Summary

Operators of the Fog and Akira ransomware are increasingly using SonicWall VPN accounts to infiltrate business networks; it is thought that the threat actors are taking advantage of a critical SSL VPN access control issue tracked as CVE-2024-40766.

After patching the SonicOS vulnerability in late August 2024, SonicWall issued a warning about active exploitation around a week later. Cybersecurity experts also noted that affiliates of the Akira ransomware were using the vulnerability to obtain initial access to victim networks. According to a recent report, at least 30 attacks have been carried out by Akira and the Fog ransomware operation, all of which began with remote network access via SonicWall VPN connections.

Akira is responsible for 75% of these occurrences, whereas Fog ransomware operations are behind other cases. It is interesting to note that the two gangs seem to share infrastructure, indicating that their unofficial cooperation is still ongoing. All of the compromised endpoints were susceptible to the vulnerability, running an earlier, unpatched version, though the researchers are not confident it was utilized in every instance.

The average time from penetration to data encryption was only 10 hours, and on the fastest occasions, it might be as brief as 1.5 to 2 hours. The threat actors obscured their true IP addresses in many of these attacks by using VPN/VPS to access the endpoint. In addition to using unpatched endpoints, researchers observed that compromised firms did not seem to have activated multi-factor authentication on the compromised SSL VPN accounts or ran their services on port 4433 by default.

Message event IDs 238 (WAN zone remote user login authorized) and 1080 (SSL VPN zone remote user login allowed) were noted in incursions where firewall logs were obtained. One of these messages was followed by many SSL VPN INFO log messages (event ID 1079) confirming the successful completion of the IP assignment and log in.

The threat actors launched swift encryption attacks in the following phases, mostly focusing on virtual machines and their backups. Documents and proprietary software were among the data stolen from compromised computers, but threat actors ignored anything older than six months or, in the case of highly sensitive materials, thirty months.

The Fog ransomware, which was first released in May 2024, is a rapidly expanding group, and its affiliates frequently gain initial access by using hacked VPN credentials. Akira, a far more well-known ransomware player, has recently experienced issues with accessing its Tor website, although they are now progressively going back up.

Impact

• Unauthorized Access
• Data Encryption
• Information Theft
• Financial Loss

Indicators of Compromise

SHA1

• 86233a285363c2a6863bf642deab7e20f062b8eb
• 67396e1aacacb6efbca51f4c03d2017af78c9842
• 806a232379ad0af437d4bc5b87fb42065dbf82d4
• e6b34a589e61b155ab70f11f8f7393316c9a3189
• 1d345799307c9436698245e7383914b3a187f1ec
• 99ed6135defff6e675d626f742389d6280abdb60

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Implement robust multi-layered security measures to detect and respond to ransomware and cyber espionage activities.
• Conduct regular security assessments and penetration testing to identify and mitigate vulnerabilities in critical infrastructure and government systems.
• Deploy advanced threat detection tools, such as Endpoint Detection and Response (EDR) and Network Traffic Analysis (NTA), to monitor for suspicious activities and anomalies.
• Ensure timely patching and updating of all software and systems to close known security gaps.
• Use multi-factor authentication (MFA) and strong password policies to protect user accounts from unauthorized access.
• Segment networks to limit lateral movement within the organization in case of a breach.
• Develop and maintain an incident response plan that includes procedures for ransomware attacks and data breaches.
• Train employees on cybersecurity best practices and phishing awareness to reduce the risk of social engineering attacks.
• Regularly back up critical data and ensure backups are stored securely and are not accessible from the primary network.
• Collaborate with cybersecurity firms and government agencies for threat intelligence sharing and coordinated defense strategies.
• Implement encryption for sensitive data at rest and in transit to protect against data theft.
• Limit access to critical systems and data to only those individuals who require it for their role.
• Monitor for and immediately investigate the presence of known malware and indicators of compromise associated with state-sponsored groups.
• Engage in regular cybersecurity drills and exercises to ensure readiness for potential cyber incidents.
• Ensure legal and compliance measures are in place, particularly for industries subject to specific regulatory requirements.