Today > vulnerabilities   -   You can now download lists of IOCs here!

Increased Fog and Akira Ransomware Activity Linked to SonicWall SSL VPN

Oct. 24, 2024, 8:22 p.m.

Description

Since early August, there has been a significant increase in Fog and Akira ransomware intrusions targeting SonicWall SSL VPN users across various industries. The attacks appear opportunistic rather than targeting specific sectors. All affected devices lacked patches for CVE-2024-40766. Initial access involved VPN logins from VPS hosting IPs, with rapid progression to data encryption and exfiltration, often within hours. Shared infrastructure was observed across multiple intrusions. Defenders are advised to prioritize firmware updates, monitor for suspicious VPN logins, maintain secure offsite backups, and watch for post-compromise activities on endpoints.

Date

Published: Oct. 24, 2024, 6:23 p.m.

Created: Oct. 24, 2024, 6:23 p.m.

Modified: Oct. 24, 2024, 8:22 p.m.

Indicators

dbde2858580ec4f3484e91a42483cccdee2d243a5bb66a190f7363b129c02751

d7e11b178fcc3d1ee7f6ad3dce6da2ea043de64d521cf3578fb09031cbdb0ae2

bed33c3732307e19e9a702e7ff179180a7891b92cb879a5b758021eefc68a99b

b5268f32fb72dfcfc1109c4a305d3a4bac11a5815123659cd345b24dee0854eb

76491df69a26019139ac11117cd21bf5d0257a5ebd3d67837f558c8c9c3483d8

746475f67cd3456551c5cd9c6205c9754b2aef17472af1b40d41904df2337a2b

64c154ab8d7962fc7beeb2eb8b3893bbfb0badefc96eaafcfd0a9adc17720bff

47204338f0e092057024c9186f228c02417e917777f3e841d52b58251a956a74

45126297c07c6ef56b51440cd0dc30acf7b3b938e2e9e656334886fe2f81f220

26d5748ffe6bd95e3fee6ce184d388a1a681006dc23a0f08d53c083c593c193b

1c73160acc17f8c2b996b91e3f34578b7964223bb3ac76fbc586af2d550f070c

18b967bd7a44f60521dd123dea0daf278572089b558b2e5632a6c06d9aad4529

9c5b233efb2e2a92a65b5ee31787281dd043a342c80c7ac567ccf43be2f2843f

a8a7fdbbc688029c0d97bf836da9ece926a85e78986d0e1ebd9b3467b3a72258

66.181.33.32

45.11.59.16

Attack Patterns

FoggyWeb - S0661

Akira

T1021.002

T1567.002

T1078.002

T1021.001

T1048

T1048.003

T1490

T1482

T1560.001

T1059.003

T1567

T1555

T1021

T1486

T1570

T1046

T1219

T1560

T1133

T1078

T1003

T1059

CVE-2024-40766