Fog and Akira ransomware operators are exploiting the critical SonicWall VPN vulnerability CVE-2024-40766 (CVSS v3 score: 9.3) to breach corporate networks via SSL VPN access.
CVE-2024-40766 is an Improper Access Control Vulnerability impacting SonicWall SonicOS, the company addressed it in August 2024.
“An improper access control vulnerability has been identified in the SonicWall SonicOS management access and SSLVPN, potentially leading to unauthorized resource access and in specific conditions, causing the firewall to crash.” reads the SonicWall’s advisory.
“This issue affects SonicWall Gen 5 and Gen 6 devices, as well as Gen 7 devices running SonicOS 7.0.1-5035 and older versions. This vulnerability is potentially being exploited in the wild. Please apply the patch as soon as possible for affected products. The latest patch builds are available for download on mysonicwall.com“
In September, SonicWall warned that the flaw CVE-2024-40766 in SonicOS is now potentially exploited in attacks.
“This vulnerability is potentially being exploited in the wild. Please apply the patch as soon as possible for affected products. The latest patch builds are available for download on mysonicwall.com,” warns the updated SonicWall advisory.
Threat actors can exploit the vulnerability to gain unauthorized resource access and crash the impacted firewalls.
“An improper access control vulnerability has been identified in the SonicWall SonicOS management access and SSLVPN, potentially leading to unauthorized resource access and in specific conditions, causing the firewall to crash.” reads the advisory.
The company urges customers to apply patches as soon as possible. The vendor also provided a workaround to minimize potential risks, they recommended to restrict firewall management to trusted sources or disable firewall WAN management from Internet access. Similarly, for SSLVPN, ensure that access is limited to trusted sources or disable SSLVPN access from the Internet.
Arctic Wolf researchers detected over 30 Akira and Fog ransomware intrusions since August, all leveraging unpatched SonicWall SSL VPNs (CVE-2024-40766). The experts noticed shared IP infrastructure behind the attacks.
“In early August, Arctic Wolf Labs began observing a marked increase in Fog and Akira ransomware intrusions where initial access to victim environments involved the use of SonicWall SSL VPN accounts.” reads the advisory. “Based on victimology data showing a variety of targeted industries and organization sizes, we assess that the intrusions are likely opportunistic, and the threat actors are not targeting a specific set of industries.”
Prior to August 2024, Fog and Akira ransomware attacks targeted a variety of firewall brands. However, since early August they focused SonicWall appliances. The researchers observed 30 new ransomware infections between the start of August until mid-October 2024. Akira ransomware was deployed in approximately 75% of the attacks, and Fog ransomware was deployed in the remaining 25% instances. The duration between initial SSL VPN access to acting on ransom/encryption objectives was as short as 1.5 to 2 hours in some intrusions, while in other intrusions the interval was closer to 10 hours.
There’s no conclusive evidence that CVE-2024-40766 and other remote code execution vulnerabilities were exploited to compromise SonicWall appliances. The researchers speculate that the VPN credentials may have been acquired through other means, like data breaches.
“Based on intrusions investigated by Arctic Wolf since early August, a significant amount of activity was observed involving Fog and Akira ransomware in environments using the SonicWall SSL VPN service. Visibility gaps hampered analysis of firewall logs across a subset of intrusions, while others suggested that existing accounts had been compromised.” concludes the report.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, SonicWall)