A Critical Vulnerability and its Exploitation
A significant cybersecurity threat has emerged, with the Fog ransomware operation actively exploiting a critical vulnerability in SonicWall VPNs to gain unauthorized access to corporate networks. This vulnerability, tracked as CVE-2024-40766, is a flaw in SonicWall’s SSL VPN access control, allowing malicious actors to bypass security measures and infiltrate target systems.
The vulnerability was patched by SonicWall in late August 2024, but the rapid exploitation demonstrates the urgency of prompt patching and proactive security measures. The Fog ransomware, along with its apparent collaborator, Akira ransomware, has leveraged this flaw to execute at least 30 successful intrusions. Arctic Wolf security researchers have been instrumental in uncovering this widespread attack campaign.
The Scale and Speed of the Fog Ransomware Attacks
The scale of the attacks is alarming. Arctic Wolf’s report indicates that 75% of the 30 intrusions are linked to Akira ransomware, with the remaining 25% attributed to Fog ransomware operations. The collaboration between these two threat groups is noteworthy, suggesting a potentially coordinated and sophisticated operation.
The shared infrastructure used by both groups further strengthens this hypothesis, echoing previous observations by Sophos regarding their unofficial collaboration. While researchers cannot confirm with 100% certainty that CVE-2024-40766 was used in e very instance, all compromised endpoints were vulnerable to the exploit due to running older, unpatched versions of the SonicWall software.
The speed of the attacks is equally concerning. The time between initial intrusion and data encryption is remarkably short, averaging around ten hours, with some instances completing the encryption process in as little as 1.5 to 2 hours. This rapid execution emphasizes the effectiveness of the attack method and the significant damage inflicted in a short timeframe. The threat actors often masked their real IP addresses by accessing the endpoint via VPN/VPS, making tracing and attribution more challenging.
Technical Details and Mitigation Strategies
The Arctic Wolf report highlights several factors contributing to the success of these attacks. These include:
- Unpatched Endpoints: Organizations running older, unpatched versions of SonicWall’s SSL VPN software were particularly vulnerable. This underscores the critical importance of regularly updating software and applying security patches promptly.
- Lack of Multi-Factor Authentication (MFA): The absence of MFA on the compromised SSL VPN accounts significantly weakened security. Implementing MFA is a crucial step in enhancing the security posture of any organization.
- Default Port Usage: The use of the default port 4433 for SSL VPN services made it easier for attackers to target these systems. Changing to a non-standard port adds an additional layer of security.
Arctic Wolf’s analysis of firewall logs revealed specific event IDs associated with successful logins: message event ID 238 (WAN zone remote user login allowed) or message event ID 1080 (SSL VPN zone remote user login allowed), followed by SSL VPN INFO log messages (event ID 1079) indicating successful login and IP assignment.
Following successful intrusion, the threat actors quickly encrypted data, primarily targeting virtual machines and their backups. Stolen data included documents and proprietary software, but the attackers showed selectivity, ignoring files older than six months, or 30 months for highly sensitive data.
The Fog Ransomware Operation and its Tactics
Launched in May 2024, Fog ransomware is a relatively new but rapidly growing operation. Its affiliates frequently leverage compromised VPN credentials for initial access, highlighting the effectiveness of this attack vector. The attackers’ preference for virtual machines and their backups suggests a strategic approach aimed at maximizing disruption and data loss.
Further Developments and Ongoing Threats
Japanese researcher Yutaka Sejiyama has estimated that approximately 168,000 SonicWall endpoints remain vulnerable to CVE-2024-40766 and are exposed to the internet. Adding to the concern, Sejiyama has also indicated that Black Basta ransomware may be exploiting the same vulnerability. This expansion of the threat landscape underscores the ongoing and evolving nature of these attacks. The situation calls for immediate action from organizations to mitigate their risk.
The Fog ransomware attacks targeting SonicWall VPNs serve as a stark reminder of the importance of proactive security measures. Organizations must prioritize regular software updates, implement robust multi-factor authentication, and adopt a layered security approach to protect against these sophisticated and rapidly evolving threats. The speed and efficiency of these attacks emphasize the need for vigilance and swift response to security vulnerabilities. Failing to address these vulnerabilities leaves organizations highly susceptible to devastating ransomware attacks. The Fog ransomware and its methods should be a wake-up call for businesses of all sizes.