Since early August, there has been a significant increase in Fog and Akira ransomware intrusions targeting SonicWall SSL VPN users across various industries. The attacks appear opportunistic rather than targeting specific sectors. All affected devices lacked patches for CVE-2024-40766. Initial access involved VPN logins from VPS hosting IPs, with rapid progression to data encryption and exfiltration, often within hours. Shared infrastructure was observed across multiple intrusions. Defenders are advised to prioritize firmware updates, monitor for suspicious VPN logins, maintain secure offsite backups, and watch for post-compromise activities on endpoints. Author: AlienVault
Related Tags:
sonicwall
FoggyWeb – S0661
cve-2024-40766
T1048.003
T1560.001
initial access
T1078.002
data exfiltration
T1567.002
Associated Indicators:
E6B34A589E61B155AB70F11F8F7393316C9A3189
0A6757BEA01C2C48B50B7EC2BC39E31C
66.181.33.32
45.11.59.16