Recent cyberattacks by Akira and Fog threat actors have targeted multiple industries by exploiting a vulnerability (CVE-2024-40766) in SonicWall SSL VPN devices, using malicious VPN logins from VPS-hosted IP addresses early in the attack chain.
The quick shift from initial access to ransomware encryption, often within a day, underscores the need to patch vulnerable systems.
Shared infrastructure across attacks indicates coordination.
To lessen these threats, timely detection and prevention strategies are vital, including monitoring for suspicious VPN logins from shared IP addresses.
While CVE-2024-40766 hasn’t been directly linked to these attacks, the affected SonicWall devices were vulnerable, suggesting that attackers may exploit these weaknesses for initial access.
Investigations show a significant increase in ransomware attacks targeting SonicWall firewalls since August 2024.
These attacks mainly use Akira and Fog ransomware, exploiting SSL VPN vulnerabilities for access.
The fast escalation of these attacks, with encryption happening within hours, highlights the urgent need for organizations to prioritize the security of their SonicWall firewalls and adopt strong security measures to reduce ransomware risks.
Initial access to victim environments came from compromised SonicWall SSL VPN accounts, often local to the devices and lacking MFA. Attackers exploited vulnerabilities like CVE-2024-40766 or used brute-force methods.
Malicious logins typically originated from VPS providers and were linked to ransomware groups like Akira. Successful intrusions often involved deleting firewall logs to obstruct investigations.
The ransomware attacks showed rapid escalation, with data encryption occurring within hours of access, as attackers prioritized virtual machines and their backups for encryption.
Exfiltration activities have targeted sensitive data, including HR and accounting documents, with up to 30 months of data stolen. Less sensitive data has been exfiltrated for shorter periods.
Arctic Wolf’s investigations reveal an increase in ransomware attacks, specifically Fog and Akira, targeting SonicWall SSL VPN services.
There’s no solid proof of vulnerabilities like CVE-2024-40766 being exploited, but compromised VPN credentials from data breaches are suspected.
Attackers have evolved their tactics, focusing on rapid data exfiltration and expanding beyond the education sector.
Recommendation
Update Firmware:
Regularly update the firmware on all network devices to fix vulnerabilities and improve security.
Monitor VPN Logins:
Keep an eye on VPN logins for any suspicious activity, like logins from unknown locations.
Keep Secure Backups:
Regularly back up important data to safe, offsite locations to protect against data loss.
Watch for Post-Compromise Activities:
After a security incident, monitor for any signs of continued compromise, such as unusual changes or access to data.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment