Threat update
Fog and Akira ransomware operators are exploiting a critical SonicWall SSL VPN vulnerability, CVE-2024-40766, to breach corporate networks.
Technical Detail and Additional Info
What is the threat?
Fog and Akira ransomware affiliates are exploiting CVE-2024-40766, a critical vulnerability in SonicWall's SSL VPN, to gain initial access to corporate networks through compromised VPN accounts. This vulnerability allows attackers to bypass access controls, enabling unauthorized infiltration. Despite SonicWall's patch release in August 2024, many endpoints remain unpatched and susceptible.
Once the attacker gains access, they use the VPN or VPS services to obfuscate their IP addresses to complicate detection efforts. They trigger specific indicators in firewall logs, such as WAN zone and SSL VPN login events, signaling successful unauthorized access. Within hours, they engage in rapid encryption attacks on virtual machines and backups, prioritizing sensitive, recently created files for exfiltration while ignoring those older than six months. This behavior underscores the urgent need for organizations to monitor and secure their networks against these threats.
Why is it noteworthy?
The collaboration between Akira and Fog ransomware groups to leverage SonicWall VPN vulnerabilities for initial access demonstrates a critical need for timely patching and secure configuration management within network defenses. The speed at which these groups can infiltrate networks and deploy ransomware—sometimes in as little as 1.5 hours—poses a serious risk that can overwhelm standard incident response procedures.
Additionally, the apparent infrastructure-sharing between Akira and Fog, along with indications that other groups like Black Basta may also exploit this vulnerability, highlights a concerning trend of organized cooperation among threat actors. This collaboration not only increases the frequency of attacks but also expands the threat landscape, as multiple ransomware operations could adopt similar tactics to exploit the same vulnerability. The potential for significant damage to organizations—ranging from financial losses to reputational harm—makes it imperative for all stakeholders to take proactive measures in securing their networks against these evolving threats.
What is the exposure or risk?
Organizations using unpatched SonicWall VPNs are at heightened risk. There are over 168,000 vulnerable endpoints currently exposed to potential exploitation. This critical vulnerability allows threat actors to execute rapid ransomware attacks, jeopardizing critical assets, intellectual property, and sensitive information. Once inside a network, attackers can access a variety of systems, including servers, workstations, and cloud services, potentially compromising a wide range of data, such as financial records, customer information, and proprietary software.
The absence of multi-factor authentication (MFA) and poorly configured VPN accounts make these entry points even easier to exploit. Ransomware groups specifically target virtualized infrastructure and encrypted backups. A successful compromise can lead to severe operational disruptions, data loss, and recovery challenges. Additionally, the quick encryption of files can prevent organizations from accessing essential data during recovery efforts, leading to prolonged downtimes and financial losses
What are the recommendations?
LBT Technology Group strongly recommends organizations take these steps to protect their critical infrastructure.
- Patch SonicWall VPNs: Ensure all SonicWall devices are updated to the latest firmware to mitigate CVE-2024-40766 exploitation.
- Enable MFA: Enforce multi-factor authentication on all remote access points, including VPN accounts, to reduce unauthorized access.
- Monitor logs: Regularly review firewall and VPN logs. Pay close attention to WAN and SSL VPN login events (Event IDs 238, 1080, and 1079) for unusual activity.
- Use non-default ports: Configure VPN services to use non-default ports to reduce exposure to known attack vectors.
- Limit VPN access: Implement strict access control policies, restricting VPN access to only necessary users and limiting IP ranges.
- Backup and isolate data: Maintain and secure offline backups of critical data to recover from potential encryption attacks.
- Conduct security awareness training: Educate staff on security best practices, emphasizing phishing prevention and VPN security.
References
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact LBT's Sales Engineer.