Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Sonic Wall. Show all posts

Ransomware Groups Exploiting SonicWall VPN Vulnerability for Network Breaches

 

Ransomware operators Akira and Fog are increasingly gaining unauthorized access to corporate networks by exploiting SonicWall VPN vulnerabilities. The attackers are believed to be targeting CVE-2024-40766, a critical flaw in SonicWall's SSL VPN access control, to breach networks and deploy ransomware.

SonicWall addressed this vulnerability in August 2024. However, within a week, reports indicated that it was already being actively exploited. According to Arctic Wolf security researchers, Akira ransomware affiliates have been observed using this flaw to establish an initial foothold in victim networks. In their latest findings, Arctic Wolf disclosed that at least 30 network intrusions involving Akira and Fog ransomware began with unauthorized VPN access through SonicWall accounts.

Of the incidents reported, Akira affiliates accounted for 75% of breaches, with the remainder linked to Fog ransomware. Notably, the two groups appear to use shared infrastructure, suggesting ongoing collaboration, a trend previously noted by cybersecurity firm Sophos.

Although researchers can't confirm the vulnerability was exploited in every case, all breached systems were running unpatched versions susceptible to the flaw. In most attacks, ransomware encryption followed initial access within about ten hours, with some cases taking as little as 1.5 to 2 hours. The attackers often connected through VPNs or VPSs to mask their IP addresses.

Arctic Wolf highlights that many targeted organizations had unpatched endpoints, lacked multi-factor authentication for their VPN accounts, and were running services on default port 4433. In cases where firewall logs were available, events indicating remote user logins (message IDs 238 or 1080) were observed, followed by SSL VPN logins and IP assignments.

The ransomware groups moved swiftly, targeting virtual machines and backups for encryption. Stolen data mainly included documents and proprietary software, though files older than six months were often disregarded, with more sensitive files retained up to 30 months.

Fog ransomware, active since May 2024, typically uses compromised VPN credentials for initial network access. Meanwhile, the more established Akira ransomware has recently faced some downtime with its Tor site, though access has been gradually restored.

Japanese security researcher Yutaka Sejiyama reports approximately 168,000 SonicWall endpoints remain vulnerable to CVE-2024-40766. Sejiyama also suggested that the Black Basta ransomware group might be exploiting this flaw in recent attacks.