Fog ransomware targets SonicWall VPNs to breach corporate networks
Fog and Akira ransomware operators are increasingly breaching corporate networks through SonicWall VPN accounts, with the threat actors believed to be exploiting CVE-2024-40766, a critical SSL VPN access control flaw.
SonicWall fixed the SonicOS flaw in late August 2024, and roughly a week later, it warned that it was already under active exploitation.
At the same time, Arctic Wolf security researchers reported seeing Akira ransomware affiliates leveraging the flaw to gain initial access to victim networks.
A new report by Arctic Wolf warns that Akira and the Fog ransomware operation have conducted at least 30 intrusions that all started with remote access to a network through SonicWall VPN accounts.
Of these cases, 75% are linked to Akira, with the rest attributed to Fog ransomware operations.
Interestingly, the two threat groups appear to share infrastructure, which shows the continuation of an unofficial collaboration between the two, as previously documented by Sophos.
While the researchers aren't 100% positive the flaw was used in all cases, all of the breached endpoints were vulnerable to it, running an older, unpatched version.
In most cases, the time from intrusion to data encryption was short, at about ten hours, even reaching 1.5-2 hours on the quickest occasions.
In many of these attacks, the threat actors accessed the endpoint via VPN/VPS, obfuscating their real IP addresses.
Arctic Wolf notes that apart from operating unpatched endpoints, compromised organizations did not appear to have enabled multi-factor authentication on the compromised SSL VPN accounts and run their services on the default port 4433.
"In intrusions where firewall logs were captured, message event ID 238 (WAN zone remote user login allowed) or message event ID 1080 (SSL VPN zone remote user login allowed) were observed," explains Artic Wolf.
"Following one of these messages, there were several SSL VPN INFO log messages (event ID 1079) indicating that login and IP assignment had completed successfully."
In the subsequent stages, the threat actors engaged in rapid encryption attacks targeting mainly virtual machines and their backups.
Data theft from breached systems involved documents and proprietary software, but the threat actors didn't bother with files that were older than six months, or 30 months old for more sensitive files.
Launched in May 2024, Fog ransomware is a growing operation whose affiliates tend to use compromised VPN credentials for initial access.
Akira, a far more established player in the ransomware space, has recently had Tor website access problems, as observed by BleepingComputer, but those are gradually returning online now.
Windows 11 24H2: The hardware and software blocking the new update
Researchers Uncover OS Downgrade Vulnerability Targeting Microsoft Windows Kernel
CVE-2024-20439 Cisco Smart Licensing Utility Static Credential Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2019-9874 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2019-9875 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2025-30154 reviewdog/action-setup GitHub Action Embedded Malicious Code Vulnerability
CVE-2025-1316 Edimax IC-7100 IP Camera OS Command Injection Vulnerability
CVE-2024-48248 NAKIVO Backup and Replication Absolute Path Traversal Vulnerability
CVE-2017-12637 SAP NetWeaver Directory Traversal Vulnerability
CVE-2025-24472 Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability
InformationalInformation Disclosure - Suspicious Comments
HighPII Disclosure
CWE-939 Improper Authorization in Handler for Custom URL Scheme
CWE-687 Function Call With Incorrectly Specified Argument Value
CWE-215 Insertion of Sensitive Information Into Debugging Code
CWE-758 Reliance on Undefined, Unspecified, or Implementation-Defined Behavior
CWE-155 Improper Neutralization of Wildcards or Matching Symbols
Free online web security scanner
