Fog and Akira ransomware operators are increasingly breaching corporate networks through SonicWall VPN accounts, with the threat actors believed to be exploiting CVE-2024-40766, a critical SSL VPN access control flaw.

SonicWall fixed the SonicOS flaw in late August 2024, and roughly a week later, it warned that it was already under active exploitation.

At the same time, Arctic Wolf security researchers reported seeing Akira ransomware affiliates leveraging the flaw to gain initial access to victim networks.

A new report by Arctic Wolf warns that Akira and the Fog ransomware operation have conducted at least 30 intrusions that all started with remote access to a network through SonicWall VPN accounts.

Of these cases, 75% are linked to Akira, with the rest attributed to Fog ransomware operations.

Interestingly, the two threat groups appear to share infrastructure, which shows the continuation of an unofficial collaboration between the two, as previously documented by Sophos.

While the researchers aren’t 100% positive the flaw was used in all cases, all of the breached endpoints were vulnerable to it, running an older, unpatched version.

In most cases, the time from intrusion to data encryption was short, at about ten hours, even reaching 1.5-2 hours on the quickest occasions.

In many of these attacks, the threat actors accessed the endpoint via VPN/VPS, obfuscating their real IP addresses.

Arctic Wolf notes that apart from operating unpatched endpoints, compromised organizations did not appear to have enabled multi-factor authentication on the compromised SSL VPN accounts and run their services on the default port 4433.

“In intrusions where firewall logs were captured, message event ID 238 (WAN zone remote user login allowed) or message event ID 1080 (SSL VPN zone remote user login allowed) were observed,” explains Artic Wolf.

“Following one of these messages, there were several SSL VPN INFO log messages (event ID 1079) indicating that login and IP assignment had completed successfully.”

In the subsequent stages, the threat actors engaged in rapid encryption attacks targeting mainly virtual machines and their backups.

Data theft from breached systems involved documents and proprietary software, but the threat actors didn’t bother with files that were older than six months, or 30 months old for more sensitive files.

Launched in May 2024, Fog ransomware is a growing operation whose affiliates tend to use compromised VPN credentials for initial access.

Akira, a far more established player in the ransomware space, has recently had Tor website access problems, as observed by BleepingComputer, but those are gradually returning online now.