Increased Fog and Akira Ransomware Activity Linked to SonicWall SSL VPN

Oct. 24, 2024, 8:22 p.m.

Description

Since early August, there has been a significant increase in Fog and Akira ransomware intrusions targeting SonicWall SSL VPN users across various industries. The attacks appear opportunistic rather than targeting specific sectors. All affected devices lacked patches for CVE-2024-40766. Initial access involved VPN logins from VPS hosting IPs, with rapid progression to data encryption and exfiltration, often within hours. Shared infrastructure was observed across multiple intrusions. Defenders are advised to prioritize firmware updates, monitor for suspicious VPN logins, maintain secure offsite backups, and watch for post-compromise activities on endpoints.

External References

https://arcticwolf.com/resources/blog/arctic-wolf-labs-observes-increased-fog-and-akira-ransomware-activity-linked-to-sonicwall-ssl-vpn/
https://otx.alienvault.com/pulse/671a90af1a2cfe22b737b2cf
Tags
ransomware
vpn
data exfiltration
akira
CVE-2024-40766
2024-10-24
sonicwall
initial access
fog

Date

  • Created: Oct. 24, 2024, 6:23 p.m.
  • Published: Oct. 24, 2024, 6:23 p.m.
  • Modified: Oct. 24, 2024, 8:22 p.m.

Linked vulnerabilities

CVE-2024-40766

9.8
    Sonicwall
  • Sonicos
  • Soho
  • Nssp 12400
  • Nssp 12800
  • Sm9800
  • Nsa 2650
  • Nsa 3600
  • Nsa 3650
  • Nsa 4600
  • Nsa 4650
  • Nsa 5600
  • Nsa 5650
  • Nsa 6600
  • Nsa 6650
  • Sm 9200
  • Sm 9250
  • Sm 9400
  • Sm 9450
  • Sm 9600
  • Sm 9650
  • Soho 250
  • Soho 250w
  • Sohow
  • Tz 300
  • Tz 300p
  • Tz 300w
  • Tz 350
  • Tz 350w
  • Tz 400
  • Tz 400w
  • Tz 500
  • Tz 500w
  • Tz 600
  • Tz 600p
  • Nsa 2700
  • Nsa 3700
  • Nsa 4700
  • Nsa 5700
  • Nsa 6700
  • Nssp 10700
  • Nssp 11700
  • Nssp 13700
  • Tz270
  • Tz270w
  • Tz370
  • Tz370w
  • Tz470
  • Tz470w
  • Tz570
  • Tz570p
  • Tz570w
  • Tz670
Published: August 23, 2024

Indicators

  • dbde2858580ec4f3484e91a42483cccdee2d243a5bb66a190f7363b129c02751
  • d7e11b178fcc3d1ee7f6ad3dce6da2ea043de64d521cf3578fb09031cbdb0ae2
  • bed33c3732307e19e9a702e7ff179180a7891b92cb879a5b758021eefc68a99b
  • b5268f32fb72dfcfc1109c4a305d3a4bac11a5815123659cd345b24dee0854eb
  • 76491df69a26019139ac11117cd21bf5d0257a5ebd3d67837f558c8c9c3483d8
  • 746475f67cd3456551c5cd9c6205c9754b2aef17472af1b40d41904df2337a2b
  • 64c154ab8d7962fc7beeb2eb8b3893bbfb0badefc96eaafcfd0a9adc17720bff
  • 47204338f0e092057024c9186f228c02417e917777f3e841d52b58251a956a74
  • 45126297c07c6ef56b51440cd0dc30acf7b3b938e2e9e656334886fe2f81f220
  • 26d5748ffe6bd95e3fee6ce184d388a1a681006dc23a0f08d53c083c593c193b
  • 1c73160acc17f8c2b996b91e3f34578b7964223bb3ac76fbc586af2d550f070c
  • 18b967bd7a44f60521dd123dea0daf278572089b558b2e5632a6c06d9aad4529
  • 9c5b233efb2e2a92a65b5ee31787281dd043a342c80c7ac567ccf43be2f2843f
  • a8a7fdbbc688029c0d97bf836da9ece926a85e78986d0e1ebd9b3467b3a72258
  • 66.181.33.32
  • 45.11.59.16
Download all indicators here!

Attack Patterns

  • FoggyWeb - S0661
  • Akira
  • T1021.002
  • T1567.002
  • T1078.002
  • T1021.001
  • T1048
  • T1048.003
  • T1490
  • T1482
  • T1560.001
  • T1059.003
  • T1567
  • T1555
  • T1021
  • T1486
  • T1570
  • T1046
  • T1219
  • T1560
  • T1133
  • T1078
  • T1003
  • T1059
  • CVE-2024-40766