Recently, a vulnerability in SonicWall SonicOS management access and SSL VPN (CVE-2024-40766) was exploited in unpatched devices, leading to at least 30 intrusions by Fog and Akira ransomware. Research indicates possible infrastructure sharing between the two groups. Another vulnerability involving Veeam Backup and Replication products (CVE-2024-40711) was exploited for remote code execution to obtain passwords.

First identified in April 2024, Fog Ransomware typically targets the education sector and industries like travel, finance, and manufacturing. The unidentified threat actors are financially motivated, and recent victimology indicates that attacks have become more opportunistic. They typically gain access through compromised VPN credentials affecting Windows and Linux systems.

During these recent attacks, malicious logins were traced to IP addresses associated with Virtual Private Server (VPS) hosting, allowing for potential early detection. All impacted SonicWall devices were not patched and lacked multi-factor authentication (MFA), leading to an alarmingly short timeframe between VPN access and the subsequent ransomware encryption. Analysts assess that approximately 168,000 vulnerable SonicWall endpoints are publicly exposed.

Recommendations

• Keep systems up to date and apply patches after appropriate testing.
• Implement cybersecurity best practices to reduce risk and increase resiliency to cyber threats.
• Enforce the principles of least privilege, use strong, unique passwords, and enable multi-factor authentication (MFA) for all accounts where available, choosing authentication apps or hardware tokens over SMS text-based codes.
• Implement a defense-in-depth strategy using multiple layers of security controls, including firewalls, intrusion detection systems, anti-virus software, and EDR. Creating redundancy can reduce risk and increase resiliency to cyber threats.
• Conduct continuous monitoring and threat hunting. Ingest IOCs and techniques found in the Arctic Wolf Labs blog post into endpoint security solutions and consider leveraging behavior-based detection tools rather than signature-based tools.