Fog and Akira ransomware gangs are targeting SonicWall VPNs to infiltrate corporate networks, exploiting the critical CVE-2024-40766 flaw recently revealed in SonicWall’s SSL VPN system. Discovered and patched in August 2024, this flaw remains a risk as some organizations have yet to apply the necessary updates.

Security researchers from Arctic Wolf disclosed that over 30 corporate breaches have been linked to this vulnerability, affecting companies worldwide. These breaches predominantly involve Akira affiliates, with 75% of reported intrusions connected to Akira and the remainder to Fog ransomware. Both groups seem to use shared infrastructure, suggesting an ongoing collaboration.

In these incidents, attackers accessed vulnerable networks by exploiting outdated SonicWall VPN accounts. Upon logging in, the threat actors moved quickly — sometimes encrypting critical data within just two hours.

Arctic Wolf found that these rapid attacks primarily targeted virtual machines and backups, aiming to cause maximum disruption. In many cases, breached organizations often kept VPN services on the default port, 4433, making them more susceptible to such attacks. In all intrusions, multi-factor authentication (MFA) was not enabled.

Logs reviewed by Arctic Wolf provided further insight into how these breaches progressed. Events labeled “WAN zone remote user login allowed” (ID 238) and “SSL VPN zone remote user login allowed” (ID 1080) indicated access points for attackers. Once inside, further event logs (ID 1079) showed that attackers successfully completed login and IP assignments.

Attackers primarily focused on recent documents, often ignoring files older than six months. For more sensitive records, however, the threshold increased to 30 months.

Fog ransomware, launched in May 2024, continues to grow, and its affiliates tend to use compromised VPN credentials. Akira had recently experienced disruptions to its Tor site but has since resumed operations.

Japanese researcher Yutaka Sejiyama estimates that around 168,000 SonicWall endpoints remain vulnerable to CVE-2024-40766 globally, underscoring the urgency for organizations to patch their systems and implement security measures like MFA.

Similar attacks occurred in the first half of 2023 when SonicWall experienced 150 million ransomware delivery attempts. Akira has also previously exploited Cisco VPN products.