Man
Professional
- Messages
- 2,954
- Reaction score
- 477
- Points
- 83
A critical breach in SonicWall VPN has unleashed the hands of hackers.
Hackers are exploiting a vulnerability in SonicWall VPN to attack with Fog and Akira ransomware. Experts believe that they are exploiting the CVE-2024-40766 vulnerability, a critical bug in the SSL VPN access control system.
SonicWall released an update to fix the problem at the end of August 2024, but a week later announced that the vulnerability was being actively exploited in attacks. Arctic Wolf researchers have discovered that groups associated with Akira are exploiting this vulnerability to infiltrate corporate networks.
A new Arctic Wolf report reports at least 30 attacks that began with remote access through SonicWall VPN accounts. Approximately 75% of these incidents are related to Akira, and the rest are related to Operation Fog. The operators of both groups were found to share a common infrastructure, indicating an informal collaboration previously recorded by Sophos experts.
While not all of the infiltrations were accurately related to the said vulnerability, all of the compromised systems were running on outdated versions of SonicOS with no updates. The time from penetration to data encryption in some cases took only 1.5-2 hours, and on average - about ten hours.
Often, attackers have used VPNs or VPS to mask their IP addresses. Experts note that many companies did not enable multi-factor authentication and used the standard port 4433, which made it much easier for hackers to do so.
Among the captured data were documents and software, and the attackers deliberately ignored files created more than six months ago, and for sensitive data, more than 30 months.
Operation Fog, launched in May 2024, is actively growing, using compromised credentials from corporate VPNs for unauthorized access. Akira, a more experienced group, has had temporary trouble accessing its resources on the Tor network, but it is slowly getting its operations back up and running, and it is likely to strike again later, but with renewed vigor.
Lack of timely updates and neglect of multi-factor authentication open the door for hackers to launch targeted attacks. The collaboration between groups like Akira and Fog demonstrates that today's threats are becoming more organized and fast, and that every vulnerability is an opportunity for attackers to strike at lightning speed and bypass even the most sophisticated defenses.
Source
Hackers are exploiting a vulnerability in SonicWall VPN to attack with Fog and Akira ransomware. Experts believe that they are exploiting the CVE-2024-40766 vulnerability, a critical bug in the SSL VPN access control system.
SonicWall released an update to fix the problem at the end of August 2024, but a week later announced that the vulnerability was being actively exploited in attacks. Arctic Wolf researchers have discovered that groups associated with Akira are exploiting this vulnerability to infiltrate corporate networks.
A new Arctic Wolf report reports at least 30 attacks that began with remote access through SonicWall VPN accounts. Approximately 75% of these incidents are related to Akira, and the rest are related to Operation Fog. The operators of both groups were found to share a common infrastructure, indicating an informal collaboration previously recorded by Sophos experts.
While not all of the infiltrations were accurately related to the said vulnerability, all of the compromised systems were running on outdated versions of SonicOS with no updates. The time from penetration to data encryption in some cases took only 1.5-2 hours, and on average - about ten hours.
Often, attackers have used VPNs or VPS to mask their IP addresses. Experts note that many companies did not enable multi-factor authentication and used the standard port 4433, which made it much easier for hackers to do so.
Among the captured data were documents and software, and the attackers deliberately ignored files created more than six months ago, and for sensitive data, more than 30 months.
Operation Fog, launched in May 2024, is actively growing, using compromised credentials from corporate VPNs for unauthorized access. Akira, a more experienced group, has had temporary trouble accessing its resources on the Tor network, but it is slowly getting its operations back up and running, and it is likely to strike again later, but with renewed vigor.
Lack of timely updates and neglect of multi-factor authentication open the door for hackers to launch targeted attacks. The collaboration between groups like Akira and Fog demonstrates that today's threats are becoming more organized and fast, and that every vulnerability is an opportunity for attackers to strike at lightning speed and bypass even the most sophisticated defenses.
Source