Introduction
The exploitation of the critical SonicWall VPN vulnerability [1] [3], CVE-2024-40766 [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12], by Fog and Akira ransomware operators has become a significant cybersecurity concern. This vulnerability, which affects SSL VPN functionality, allows unauthorized access to corporate networks [6], posing severe risks to organizations. Despite the release of a patch, many systems remain unpatched [6], leaving them exposed to potential breaches.
Description
Fog and Akira ransomware operators are increasingly exploiting the critical SonicWall VPN vulnerability CVE-2024-40766 [3], an improper access control flaw in SonicOS that affects SSL VPN functionality. This vulnerability, which has a CVSS v3 score of 9.3 [3], allows unauthorized access to corporate networks via compromised VPN accounts. It impacts Gen 5 [4], Gen 6 [3] [4], and Gen 7 devices running SonicOS versions 7.0.1-5035 and older [3]. Attackers can bypass access controls [6], leading to potential breaches and unauthorized remote access, which may result in VPN crashes. SonicWall publicly disclosed this issue on August 22, 2024, and released a patch in late August, acknowledging its active exploitation and urging customers to apply the updates immediately. However, just a week after the patch was issued, cybercriminals began to exploit the vulnerability, and many endpoints remain unpatched [6], with over 168,000 vulnerable systems exposed [6]. The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-40766 to its Known Exploited Vulnerabilities catalog [7], emphasizing the urgency for prompt remediation, particularly for federal organizations, which are required to patch affected systems by the end of September 2024.
Since early August 2024 [2] [8] [9] [10], Arctic Wolf security researchers have detected at least 30 intrusions involving both Fog and Akira ransomware, with approximately 75% of these incidents linked to Akira and the remaining 25% associated with Fog. The attacks have demonstrated a shared IP infrastructure [3], indicating a continued partnership between the two groups and highlighting a concerning trend of organized cooperation among threat actors. Initial access to compromised systems was gained through vulnerable SonicWall SSL VPN accounts, which were local to the devices and lacked integration with centralized authentication solutions like Microsoft Active Directory [8]. Compromised organizations frequently lacked multi-factor authentication (MFA) on their SSL VPN accounts [11], and many operated services on the default port 4433 [10] [11], further contributing to their vulnerability [11].
All compromised endpoints were unpatched and outdated [10], with the average time from initial SSL VPN access to data encryption or ransom demands nearing 10 hours, and in some cases [5] [7] [11], occurring as quickly as 1.5 to 2 hours [7]. Attackers exfiltrated sensitive data [2], particularly from HR and finance departments [2], retrieving documents that were up to 30 months old [2], while less sensitive documents were of interest only up to six months old [2]. Threat actors accessed endpoints through VPN/VPS services [10], obscuring their actual IP addresses and complicating detection efforts [6]. In incidents where firewall logs were captured [10], specific event IDs [10], including 238 and 1080, indicated successful logins and IP assignments [10], followed by SSL VPN INFO log messages confirming the completion of the login process [10].
While there is no conclusive evidence that CVE-2024-40766 and other remote code execution vulnerabilities were exploited to compromise SonicWall appliances [3], it is speculated that VPN credentials may have been obtained through other means [3], such as data breaches [3]. Visibility gaps in firewall logs have hindered the analysis of some intrusions [3], complicating the understanding of the full scope of the attacks. Researchers continue to observe a rise in infections involving Fog and Akira ransomware [8], with malicious login events traced back to Virtual Private Server (VPS) hosting providers. Indicators of Compromise (IOCs) have been provided to assist administrators in identifying potential attacks on their systems [2].
To mitigate the risks associated with CVE-2024-40766 [6], organizations should ensure all SonicWall devices are updated to the latest firmware [6], enforce multi-factor authentication on remote access points [6], regularly review firewall and VPN logs for unusual activity [6], configure VPN services to use non-default ports [6], implement strict access control policies [6], maintain secure offline backups of critical data [6], and conduct security awareness training for staff [6]. Field Effect continuously monitors vulnerabilities in devices and software [7], including SonicWall VPNs [4] [5] [7], and users of their Managed Detection and Response (MDR) service receive automatic notifications if a vulnerable version of SonicWall VPN is detected [7], urging them to address these alerts promptly [7]. It is strongly recommended that affected users apply the patch as soon as possible [7], in line with SonicWall’s advisory [7], to mitigate the risk of compromise [7], given the popularity of SonicWall devices among threat actors [7].
Conclusion
The ongoing exploitation of the SonicWall VPN vulnerability by ransomware operators underscores the critical need for organizations to prioritize cybersecurity measures. Immediate patching, the implementation of multi-factor authentication [4] [6], and regular monitoring of network activity are essential steps to mitigate risks. As threat actors continue to evolve their tactics, organizations must remain vigilant and proactive in securing their networks to prevent future breaches.
References
[1] https://www.scworld.com/brief/sonicwall-ssl-vpn-accounts-targeted-by-akira-fog-ransomware-gangs
[2] https://www.heise.de/en/news/Ransomware-attacks-on-Sonicwall-SSL-VPNs-9998192.html
[3] https://securityaffairs.com/170359/cyber-crime/fog-akira-ransomware-sonicwall-vpn-flaw.html
[4] https://www.techradar.com/pro/security/sonicwall-vpns-targeted-by-ransomware-hitting-corporate-networks
[5] https://www.vpnranks.com/news/fog-akira-ransomware-exploit-sonicwall-vpn-flaw/
[6] https://smartermsp.com/cybersecurity-threat-advisory-sonicwall-vpn-vulnerability/
[7] https://fieldeffect.com/blog/critical-sonicwall-vulnerability-exploited-by-ransomware-groups
[8] https://www.csoonline.com/article/3592294/patched-sonicwall-critical-vulnerability-still-used-in-several-ransomware-attacks.html
[9] https://www.connect-professional.de/security/am-wochenende-kommt-der-hacker.331728.html
[10] https://www.isss.org.uk/news/fog-ransomware-targets-sonicwall-vpns-to-breach-corporate-networks/
[11] https://www.techepages.com/fog-ransomware-targets-sonicwall-vpns-to-breach-corporate-networks/
[12] https://www.it-connect.fr/les-acces-vpn-ssl-sonicwall-cibles-par-les-ransomwares-fog-et-akira-cve-2024-40766/