Since early August, there has been a significant increase in Fog and Akira ransomware intrusions targeting SonicWall SSL VPN users across various industries. The attacks appear opportunistic rather than targeting specific sectors. All affected devices lacked patches for CVE-2024-40766. Initial access involved VPN logins from VPS hosting IPs, with rapid progression to data encryption and exfiltration, often within hours. Shared infrastructure was observed across multiple intrusions. Defenders are advised to prioritize firmware updates, monitor for suspicious VPN logins, maintain secure offsite backups, and watch for post-compromise activities on endpoints. Author: AlienVault
Related Tags:
sonicwall
FoggyWeb – S0661
cve-2024-40766
T1048.003
T1560.001
initial access
T1078.002
data exfiltration
T1567.002
Associated Indicators:
A8A7FDBBC688029C0D97BF836DA9ECE926A85E78986D0E1EBD9B3467B3A72258
D7E11B178FCC3D1EE7F6AD3DCE6DA2EA043DE64D521CF3578FB09031CBDB0AE2
64C154AB8D7962FC7BEEB2EB8B3893BBFB0BADEFC96EAAFCFD0A9ADC17720BFF
18B967BD7A44F60521DD123DEA0DAF278572089B558B2E5632A6C06D9AAD4529
47204338F0E092057024C9186F228C02417E917777F3E841D52B58251A956A74
746475F67CD3456551C5CD9C6205C9754B2AEF17472AF1B40D41904DF2337A2B
E6B34A589E61B155AB70F11F8F7393316C9A3189
AD739C2E9985161BC2FF9ED3A9A393CA
397550D976529ADD28274EF3ADCFF132