October 27, 2024 at 05:47PM
Fog and Akira ransomware operators are exploiting a critical vulnerability in SonicWall VPN accounts, leading to at least 30 network intrusions. Most cases involve Akira, with shared infrastructure indicating collaboration. Organizations lacked multi-factor authentication and used unpatched versions of SonicOS, resulting in rapid data encryption and theft following initial access.
### Meeting Takeaways:
1. **Ransomware Threats**: Fog and Akira ransomware operators are increasingly targeting corporate networks through vulnerabilities in SonicWall VPN accounts, specifically exploiting CVE-2024-40766, a critical SSL VPN access control flaw.
2. **Response and Exploitation**: SonicWall addressed the vulnerability in late August 2024, but active exploitation was reported within a week. Arctic Wolf researchers observed that Akira ransomware affiliates are using this flaw for initial network access.
3. **Incident Overview**: Arctic Wolf’s report indicates that at least 30 intrusions have occurred, primarily linked to Akira (75% of cases) with the remainder attributed to Fog. The two groups seem to share infrastructure, suggesting ongoing collaboration.
4. **Vulnerability Status**: Although researchers cannot confirm that the flaw was exploited in every case, breached endpoint systems were confirmed to be running unpatched versions vulnerable to the exploit.
5. **Rapid Attack Timeline**: The time from network intrusion to data encryption is alarmingly short, averaging ten hours, and in some cases, as quick as 1.5-2 hours.
6. **Access Methods**: Many attacks involved VPN/VPS access, allowing threat actors to conceal their IP addresses. Compromised organizations often lacked multi-factor authentication on their SSL VPN accounts and used the default service port (4433).
7. **Log Analysis**: In incidents where firewall logs were obtained, specific event IDs were frequently noted (238 and 1080 for allowed logins, with additional INFO log messages indicating successful login and IP assignment).
8. **Encryption and Data Theft**: The attackers targeted virtual machines and backups for rapid encryption. Data stolen included documents and proprietary software, with older files (older than six months or 30 months for sensitive files) being largely disregarded.
9. **Fog Ransomware Overview**: Launched in May 2024, Fog ransomware operates similarly by using compromised VPN credentials for access.
10. **Akira Ransomware Status**: Despite recent issues with its Tor website, Akira is recovering its online presence and remains a significant player in the ransomware landscape.