Fog and Akira Ransomware Spread Through SonicWall VPN Vulnerability
Hackers are exploiting a vulnerability in SonicWall VPN to launch ransomware attacks using the Fog and Akira strains. Experts believe they are taking advantage of CVE-2024-40766—a critical flaw in the SSL VPN access control system.
SonicWall released a patch to address the issue in late August 2024; however, within a week, the company reported that the vulnerability was already being actively exploited. Arctic Wolf researchers have found that groups associated with Akira are using this vulnerability to infiltrate corporate networks.
According to a new Arctic Wolf report, at least 30 attacks have been initiated through remote access via SonicWall VPN accounts. Approximately 75% of these incidents are linked to Akira, with the remainder associated with the Fog operation. Operators from both groups reportedly share infrastructure, suggesting informal collaboration, a trend previously observed by Sophos experts.
While not every infiltration was definitively tied to this specific vulnerability, all compromised systems were running outdated, unpatched versions of SonicOS. In some cases, the time between initial penetration and data encryption was as brief as 1.5 to 2 hours, averaging around ten hours.
Hackers frequently used VPNs or VPS services to mask their IP addresses. Experts note that many companies had neglected to enable multi-factor authentication and continued using the default port 4433, significantly easing the attackers’ efforts.
Among the captured data were documents and software, with attackers deliberately ignoring files created over six months prior and, for particularly sensitive data, those older than 30 months.
The Fog operation, launched in May 2024, is growing rapidly, leveraging compromised corporate VPN credentials to gain unauthorized access. Akira, a more seasoned group, encountered temporary access issues with its Tor network resources, though it is gradually restoring operations and will likely strike again, stronger than before.
The lack of timely updates and disregard for multi-factor authentication provide hackers with easy access points for targeted attacks. The cooperation between groups like Akira and Fog illustrates how modern threats are becoming increasingly organized and swift, with each vulnerability offering malicious actors the opportunity for a rapid and decisive breach, bypassing even the most advanced defense systems.