Increased Fog and Akira Ransomware Activity Linked to SonicWall SSL VPN
Oct. 24, 2024, 8:22 p.m.
Tags
External References
Description
Since early August, there has been a significant increase in Fog and Akira ransomware intrusions targeting SonicWall SSL VPN users across various industries. The attacks appear opportunistic rather than targeting specific sectors. All affected devices lacked patches for CVE-2024-40766. Initial access involved VPN logins from VPS hosting IPs, with rapid progression to data encryption and exfiltration, often within hours. Shared infrastructure was observed across multiple intrusions. Defenders are advised to prioritize firmware updates, monitor for suspicious VPN logins, maintain secure offsite backups, and watch for post-compromise activities on endpoints.
Date
Published: Oct. 24, 2024, 6:23 p.m.
Created: Oct. 24, 2024, 6:23 p.m.
Modified: Oct. 24, 2024, 8:22 p.m.
Indicators
dbde2858580ec4f3484e91a42483cccdee2d243a5bb66a190f7363b129c02751
d7e11b178fcc3d1ee7f6ad3dce6da2ea043de64d521cf3578fb09031cbdb0ae2
bed33c3732307e19e9a702e7ff179180a7891b92cb879a5b758021eefc68a99b
b5268f32fb72dfcfc1109c4a305d3a4bac11a5815123659cd345b24dee0854eb
76491df69a26019139ac11117cd21bf5d0257a5ebd3d67837f558c8c9c3483d8
746475f67cd3456551c5cd9c6205c9754b2aef17472af1b40d41904df2337a2b
64c154ab8d7962fc7beeb2eb8b3893bbfb0badefc96eaafcfd0a9adc17720bff
47204338f0e092057024c9186f228c02417e917777f3e841d52b58251a956a74
45126297c07c6ef56b51440cd0dc30acf7b3b938e2e9e656334886fe2f81f220
26d5748ffe6bd95e3fee6ce184d388a1a681006dc23a0f08d53c083c593c193b
1c73160acc17f8c2b996b91e3f34578b7964223bb3ac76fbc586af2d550f070c
18b967bd7a44f60521dd123dea0daf278572089b558b2e5632a6c06d9aad4529
9c5b233efb2e2a92a65b5ee31787281dd043a342c80c7ac567ccf43be2f2843f
a8a7fdbbc688029c0d97bf836da9ece926a85e78986d0e1ebd9b3467b3a72258
66.181.33.32
45.11.59.16
Attack Patterns
FoggyWeb - S0661
Akira
T1021.002
T1567.002
T1078.002
T1021.001
T1048
T1048.003
T1490
T1482
T1560.001
T1059.003
T1567
T1555
T1021
T1486
T1570
T1046
T1219
T1560
T1133
T1078
T1003
T1059
CVE-2024-40766