Several cybersecurity researchers are advising that the Fog and Akira ransomware groups are actively exploiting a critical vulnerability in SonicWall VPN to deploy ransomware. The flaw, designated CVE-2024-40766 is an access control flaw that was previously discovered and patched in August 2024. However, only a week after the patch was released, SonicWall warned that the vulnerability was 'potentially' being exploited.
The Akira and Fog ransomware groups may be working together in their campaigns targeting vulnerable SonicWall VPNs as researchers have observed the two groups sharing infrastructure. In most compromises, the time from intrusion to data encryption was quick, at about ten hours, peaking at 1.5-2 hours on the fastest occasions. The threat actors mainly accessed the targeted endpoint via VPN/VPS to obfuscate their real IP addresses.
While the researchers aren’t certain CVE-2024-40766 was leveraged in all instances, all the compromised endpoints were vulnerable to it. Additionally, compromised organizations did not have multi-factor authentication (MFA) enabled and ran the vulnerable VPN service on the default port 4433 indicating threat actors were specifically looking for targets with that configuration.
Source: Bleeping Computer
Analysis
Since this vulnerability was revealed in August 2024, Field Effect has seen increased targeting of SonicWall firewalls. However, we can’t be certain if threat actors are specifically targeting CVE-2024-40766 or other, older, unpatched vulnerabilities. Traditionally, when vendors disclose critical vulnerabilities in edge devices, it draws the attention of threat actors toward the devices in general and that could be what we have observed in relation to the SonicWall firewalls.
In early September 2024, the Cybersecurity and Infrastructure Security Agency (CISA) listed CVE-2024-40766 in its Known Exploited Vulnerabilities (KEV) catalog and ordered U.S. federal agencies to patch affected systems by the end of September 2024. The fact that CISA took this step is a strong indicator that threat actors are specifically exploiting CVE-2024-40766, once again underscoring the importance of organizations maintaining a high patching cadence.
SonicWall devices have a history of being targeted by ransomware groups, and other vulnerabilities exploited in recent years include those affecting SonicWall's Secure Mobile Access (SMA) appliances. For example, in 2022, a flaw allowed Chinese-affiliated hackers to install persistent malware on unpatched devices. Additionally, ransomware groups such as HelloKitty and FiveHands have used SonicWall vulnerabilities in previous attacks to gain initial access for ransomware deployment.
Mitigation
Field Effect’s Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in devices and software, including SonicWall VPNs. Field Effect MDR users were automatically notified if a vulnerable version of SonicWall VPN was detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
Field Effect strongly recommends that impacted users install the patch as soon as possible, in accordance with SonicWall’s original advisory.
Since SonicWall devices are popular targets for threat actors, organizations that use them should pay particular attention to making sure they are kept up to date to avoid compromise.
Related Articles
