EXECUTIVE SUMMARY:
Ransomware attacks involving Akira and Fog Ransomware have surged, primarily targeting organizations using SSL VPN services such as SonicWall. These incidents exploited CVE-2024-40766, a critical vulnerability in SonicWall SSL VPN appliances that allows remote code execution (RCE). This flaw enables attackers to gain unauthorized access and control, leaving unpatched devices highly vulnerable. The attacks emphasize the importance of keeping firmware updated and securing VPN access to prevent breaches.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
Ransomware attacks involving Akira and Fog Ransomware have surged, primarily targeting organizations using SSL VPN services such as SonicWall. These incidents exploited CVE-2024-40766, a critical vulnerability in SonicWall SSL VPN appliances that allows remote code execution (RCE). This flaw enables attackers to gain unauthorized access and control, leaving unpatched devices highly vulnerable. The attacks emphasize the importance of keeping firmware updated and securing VPN access to prevent breaches.[emaillocker id="1283"]
CVE-2024-40766 was a key factor in these attacks, allowing attackers to execute arbitrary code and bypass authentication. Malicious logins were often traced to IP addresses associated with Virtual Private Servers (VPS), commonly used to mask attackers' locations. Once the vulnerability was exploited, attackers quickly accessed critical data and deployed ransomware, often within hours. Many compromised devices lacked firmware updates and multi-factor authentication (MFA), significantly increasing their risk of exploitation.
The rise of ransomware attacks involving Akira and Fog malware highlights the urgent need for organizations to patch vulnerabilities like CVE-2024-40766 and adopt robust security practices. Organizations should prioritize firmware updates, enable MFA on VPN accounts, and monitor unusual login activities, particularly from VPS sources. Strengthening these defenses is critical to mitigating ransomware threats and safeguarding sensitive systems
THREAT PROFILE:
| Tactic | Technique Id | Technique |
| Initial Access | T1133 | External Remote Services |
| T1078 | Valid Accounts | |
| Execution | T1059 | Command and Scripting Interpreter |
| Credential Access | T1555 | Credentials from Password Stores |
| T1003 | OS Credential Dumping | |
| Discovery | T1046 | Network Service Discovery |
| T1482 | Domain Trust Discovery | |
| Lateral Movement | T1021 | Remote Services |
| T1570 | Lateral Tool Transfer | |
| Collection | T1560 | Archive Collected Data |
| Command and Control | T1219 | Remote Access Software |
| Exfiltration | T1567 | Exfiltration Over Web Service |
| T1048 | Exfiltration Over Alternative Protocol | |
| Impact | T1486 | Data Encrypted for Impact |
| T1490 | Inhibit System Recovery |
RECOMMENDATION:
We strongly recommend you update SonicWall devices to version below:
REFERENCES:
The following reports contain further technical details:
https://cybersecuritynews.com/hackers-fog-ransomware-sonicwall-vpn/
[/emaillocker]