Increased Fog and Akira Ransomware Activity Linked to SonicWall SSL VPN

Oct. 24, 2024, 8:22 p.m.

Description

Since early August, there has been a significant increase in Fog and Akira ransomware intrusions targeting SonicWall SSL VPN users across various industries. The attacks appear opportunistic rather than targeting specific sectors. All affected devices lacked patches for CVE-2024-40766. Initial access involved VPN logins from VPS hosting IPs, with rapid progression to data encryption and exfiltration, often within hours. Shared infrastructure was observed across multiple intrusions. Defenders are advised to prioritize firmware updates, monitor for suspicious VPN logins, maintain secure offsite backups, and watch for post-compromise activities on endpoints.

Date

  • Created: Oct. 24, 2024, 6:23 p.m.
  • Published: Oct. 24, 2024, 6:23 p.m.
  • Modified: Oct. 24, 2024, 8:22 p.m.

Linked vulnerabilities

Indicators

  • dbde2858580ec4f3484e91a42483cccdee2d243a5bb66a190f7363b129c02751
  • d7e11b178fcc3d1ee7f6ad3dce6da2ea043de64d521cf3578fb09031cbdb0ae2
  • bed33c3732307e19e9a702e7ff179180a7891b92cb879a5b758021eefc68a99b
  • b5268f32fb72dfcfc1109c4a305d3a4bac11a5815123659cd345b24dee0854eb
  • 76491df69a26019139ac11117cd21bf5d0257a5ebd3d67837f558c8c9c3483d8
  • 746475f67cd3456551c5cd9c6205c9754b2aef17472af1b40d41904df2337a2b
  • 64c154ab8d7962fc7beeb2eb8b3893bbfb0badefc96eaafcfd0a9adc17720bff
  • 47204338f0e092057024c9186f228c02417e917777f3e841d52b58251a956a74
  • 45126297c07c6ef56b51440cd0dc30acf7b3b938e2e9e656334886fe2f81f220
  • 26d5748ffe6bd95e3fee6ce184d388a1a681006dc23a0f08d53c083c593c193b
  • 1c73160acc17f8c2b996b91e3f34578b7964223bb3ac76fbc586af2d550f070c
  • 18b967bd7a44f60521dd123dea0daf278572089b558b2e5632a6c06d9aad4529
  • 9c5b233efb2e2a92a65b5ee31787281dd043a342c80c7ac567ccf43be2f2843f
  • a8a7fdbbc688029c0d97bf836da9ece926a85e78986d0e1ebd9b3467b3a72258
  • 66.181.33.32
  • 45.11.59.16

Attack Patterns

  • FoggyWeb - S0661
  • Akira
  • T1021.002
  • T1567.002
  • T1078.002
  • T1021.001
  • T1048
  • T1048.003
  • T1490
  • T1482
  • T1560.001
  • T1059.003
  • T1567
  • T1555
  • T1021
  • T1486
  • T1570
  • T1046
  • T1219
  • T1560
  • T1133
  • T1078
  • T1003
  • T1059
  • CVE-2024-40766