Fog and Akira Ransomware Attacks Exploit SonicWall VPN Flaw CVE-2024-40766
Published on October 29, 2024 by Pierluigi Paganini
In a concerning surge of cyberattacks, Fog and Akira ransomware operators are exploiting a critical flaw within the SonicWall VPN infrastructure, known as CVE-2024-40766, which bears a notably high CVSS score of 9.3. This vulnerability allows malicious actors to breach enterprise networks via SSL VPN access, signalling a significant escalation in the frequency and intensity of ransomware activity.
Understanding CVE-2024-40766
CVE-2024-40766 is categorized as an improper access control vulnerability affecting SonicWall’s SonicOS. Identified and addressed in August 2024, this flaw poses a significant risk by enabling unauthorized access to resources and potentially causing firewalls to crash under certain conditions. SonicWall’s advisory highlights that affected devices include Gen 5, Gen 6, and certain Gen 7 devices running outdated versions of SonicOS.
As SonicWall noted, “An improper access control vulnerability has been identified in the SonicWall SonicOS management access and SSLVPN.” The company has urged customers to apply the necessary patches without delay, emphasizing that the vulnerability is actively being exploited in the wild.
The Actual Risks
The implications of CVE-2024-40766 are dire. Threat actors leveraging this vulnerability can gain unauthorized access to corporate resources and potentially disrupt overall network operations by crashing impacted firewalls. Experts recommend limiting firewall management to trusted sources or disabling WAN management entirely to mitigate risks. For SSLVPN users, restricting access to trusted sources or completely disabling Internet access is crucial.
Rise in Ransomware Activity
Research by Arctic Wolf Labs has revealed alarming trends, with over 30 confirmed cases of Akira and Fog ransomware intrusions utilizing unpatched SonicWall SSL VPNs since August 2024. This spike in ransomware incidents corresponds with increased activities by these groups, reflecting a notable shift in their tactics. This shift has seen them primarily focusing their attacks on SonicWall appliances rather than an array of firewall brands as seen in previous months.
Quick Attack Timeline
The speed at which these attacks unfold is particularly troubling. Analysts found that the timeframe from initial SSL VPN access to executing ransom or encryption objectives can be shockingly brief—ranging from just 1.5 to 2 hours in some cases, and up to 10 hours in others. This rapid progression underscores the urgency for organizations to secure their SonicWall devices and ensure that any vulnerabilities are addressed promptly.
Credential Compromise Concerns
While there is no conclusive evidence directly linking CVE-2024-40766 to the exploitation of SonicWall appliances, researchers suspect that compromised VPN credentials may have originated from prior data breaches. Arctic Wolf’s investigations indicate that many affected organizations lacked proper visibility into their firewall logs, which hindered thorough analysis of the ransomware attacks. In several incidents, existing accounts were found compromised, further complicating the security landscape.
Recommendations for Organizations
SonicWall and cybersecurity experts continue to stress the importance of immediate action. Failing to apply the latest patches or implement suggested workarounds increases vulnerability to such attacks. Organizations are encouraged to enforce stringent access controls, monitor VPN usage closely, and establish alerts for unusual login activities to safeguard their networks against these emerging threats.
Implications for the Future
As ransomware groups like Fog and Akira refine their techniques, the potential for widespread damage increases. Organizations must remain vigilant, understanding that the landscape of cyber threats is evolving and that proactive measures are essential to maintaining cybersecurity defenses. Keeping software up to date, educating staff on phishing risks, and regularly auditing network access are crucial strategies in an increasingly hostile digital environment.
Stay informed of the ongoing developments regarding CVE-2024-40766 and reinforce your cybersecurity posture today.