Increased Fog and Akira Ransomware Activity Linked to SonicWall SSL VPN
Oct. 24, 2024, 8:22 p.m.
Description
Since early August, there has been a significant increase in Fog and Akira ransomware intrusions targeting SonicWall SSL VPN users across various industries. The attacks appear opportunistic rather than targeting specific sectors. All affected devices lacked patches for CVE-2024-40766. Initial access involved VPN logins from VPS hosting IPs, with rapid progression to data encryption and exfiltration, often within hours. Shared infrastructure was observed across multiple intrusions. Defenders are advised to prioritize firmware updates, monitor for suspicious VPN logins, maintain secure offsite backups, and watch for post-compromise activities on endpoints.
Tags
Date
- Created: Oct. 24, 2024, 6:23 p.m.
- Published: Oct. 24, 2024, 6:23 p.m.
- Modified: Oct. 24, 2024, 8:22 p.m.
Linked vulnerabilities
Indicators
- dbde2858580ec4f3484e91a42483cccdee2d243a5bb66a190f7363b129c02751
- d7e11b178fcc3d1ee7f6ad3dce6da2ea043de64d521cf3578fb09031cbdb0ae2
- bed33c3732307e19e9a702e7ff179180a7891b92cb879a5b758021eefc68a99b
- b5268f32fb72dfcfc1109c4a305d3a4bac11a5815123659cd345b24dee0854eb
- 76491df69a26019139ac11117cd21bf5d0257a5ebd3d67837f558c8c9c3483d8
- 746475f67cd3456551c5cd9c6205c9754b2aef17472af1b40d41904df2337a2b
- 64c154ab8d7962fc7beeb2eb8b3893bbfb0badefc96eaafcfd0a9adc17720bff
- 47204338f0e092057024c9186f228c02417e917777f3e841d52b58251a956a74
- 45126297c07c6ef56b51440cd0dc30acf7b3b938e2e9e656334886fe2f81f220
- 26d5748ffe6bd95e3fee6ce184d388a1a681006dc23a0f08d53c083c593c193b
- 1c73160acc17f8c2b996b91e3f34578b7964223bb3ac76fbc586af2d550f070c
- 18b967bd7a44f60521dd123dea0daf278572089b558b2e5632a6c06d9aad4529
- 9c5b233efb2e2a92a65b5ee31787281dd043a342c80c7ac567ccf43be2f2843f
- a8a7fdbbc688029c0d97bf836da9ece926a85e78986d0e1ebd9b3467b3a72258
- 66.181.33.32
- 45.11.59.16
Attack Patterns
- FoggyWeb - S0661
- Akira
- T1021.002
- T1567.002
- T1078.002
- T1021.001
- T1048
- T1048.003
- T1490
- T1482
- T1560.001
- T1059.003
- T1567
- T1555
- T1021
- T1486
- T1570
- T1046
- T1219
- T1560
- T1133
- T1078
- T1003
- T1059
- CVE-2024-40766