Fog ransomware targets SonicWall VPNs to breach corporate networks

Fog and Akira ransomware operators are increasingly breaching corporate networks through SonicWall VPN accounts, with the threat actors believed to be exploiting CVE-2024-40766, a critical SSL VPN access control flaw.

SonicWall fixed the SonicOS flaw in late August 2024, and roughly a week later, it warned that it was already under active exploitation.

At the same time, Arctic Wolf security researchers reported seeing Akira ransomware affiliates leveraging the flaw to gain initial access to victim networks.

A new report by Arctic Wolf warns that Akira and the Fog ransomware operation have conducted at least 30 intrusions that all started with remote access to a network through SonicWall VPN accounts.

Interestingly, the two threat groups appear to share infrastructure, which shows the continuation of an unofficial collaboration between the two, as previously documented by Sophos.

While the researchers aren't 100% positive the flaw was used in all cases, all of the breached endpoints were vulnerable to it, running an older, unpatched version.

Leave a Comment