Ethical Hacking News
Fog ransomware has been identified as a growing threat in recent months, exploiting a critical SSL VPN access control flaw discovered by CVE-2024-40766. This vulnerability was patched by SonicWall in late August 2024, but the threat actors were already actively exploiting it, resulting in at least 30 intrusions attributed to either Fog or Akira ransomware operations. Read on for more information about this growing threat and how organizations can protect themselves.
Fog ransomware has been exploiting a critical SSL VPN access control flaw (CVE-2024-40766) to breach corporate networks.The attack resulted in at least 30 intrusions attributed to Fog or Akira ransomware operations.Threat actors accessed endpoints via VPN/VPS, obfuscating their IP addresses and targeting organizations with unpatched SSL VPN accounts.The attackers engaged in rapid encryption attacks on virtual machines and backups, stealing data six months or older.
Fog ransomware has been identified as a growing threat in recent months, and its operators have found an increasingly effective way to breach corporate networks using compromised SonicWall VPN accounts. This attack vector relies on exploiting a critical SSL VPN access control flaw discovered by CVE-2024-40766, which was patched by SonicWall in late August 2024. Despite this patch, the threat actors were already actively exploiting the vulnerability, with Arctic Wolf security researchers reporting sightings of Akira ransomware affiliates using the flaw to gain initial access to victim networks.
The exploitation of this critical SSL VPN access control flaw has resulted in at least 30 intrusions attributed to either Fog or Akira ransomware operations. In most cases, the threat actors accessed the endpoint via VPN/VPS, obfuscating their real IP addresses and taking advantage of organizations that had not enabled multi-factor authentication on compromised SSL VPN accounts and run their services on the default port 4433.
Arctic Wolf notes that in intrusions where firewall logs were captured, message event ID 238 (WAN zone remote user login allowed) or message event ID 1080 (SSL VPN zone remote user login allowed) were observed. Following these messages, there were several SSL VPN INFO log messages (event ID 1079) indicating that login and IP assignment had completed successfully.
In the subsequent stages of the attack, the threat actors engaged in rapid encryption attacks targeting mainly virtual machines and their backups. Data theft from breached systems involved documents and proprietary software, but the threat actors only targeted files that were six months or older, or 30 months old for more sensitive files.
This growing operation is part of an increasing trend of ransomware attacks using compromised VPN credentials for initial access. Akira, a far more established player in the ransomware space, has recently had Tor website access problems, but those are gradually returning online now.
The discovery of this critical SSL VPN access control flaw highlights the importance of keeping software up to date and ensuring that all networks and endpoints have been patched against known vulnerabilities. Organizations must take immediate action to address this threat by patching their SonicWall VPNs and ensuring that multi-factor authentication is enabled on all compromised accounts.
Related Information:
https://www.bleepingcomputer.com/news/security/fog-ransomware-targets-sonicwall-vpns-to-breach-corporate-networks/
https://nvd.nist.gov/vuln/detail/CVE-2024-40766
https://www.cvedetails.com/cve/CVE-2024-40766/
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a
https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-akira
Published: Sun Oct 27 17:39:10 2024 by llama3.2 3B Q4_K_M
