Hackers target VPNs primarily to exploit vulnerabilities that allow them to gain unauthorized access to enterprise networks.
By infiltrating these systems, hackers aim to identify enterprise assets and establish a foothold for further exploitation.
Arctic Wolf researchers recently discovered that hackers have been actively attacking SonicWall VPNs and breach corporate networks by using “Fog” ransomware.
Fog Ransomware Exploiting SSL VPN Vulnerabilities
Between “August” and “October 2024,” researchers discovered a major surge in cyber-attacks using “SonicWall SSL VPN” vulnerabilities.
Protecting Your Networks & Endpoints With UnderDefense MDR – Request Free Demo
The exploitation of these vulnerabilities led to ransomware deployments by two major threat groups:-
Among the “30” documented intrusions, “Akira ransomware” was responsible for 75% of attacks, while “Fog ransomware” executed the remaining 25%.
All these attacks overlapped with discovering a critical security vulnerability in SonicWall’s firmware, and the flaw has been tracked as ‘CVE-2024-40766.’
However, the direct exploitation evidence remained not conclusive. The threat actors showed outstanding efficiency with encryption processes initiated as quickly as “1.5 hours” after gaining initial access, while in some cases, extended up to 10 hours.
Unlike targeted campaigns, all these attacks appeared opportunistic and affected organizations across various “industries” and “sizes.”
The threat actors primarily exploited “outdated firmware” versions, which highlights the critical importance of “regular security updates” and “external security monitoring.”
The attack pattern marked a notable shift from previous months when ransomware incidents were distributed across multiple firewall brands. This scenario suggests a strategic focus on “SonicWall vulnerabilities” by these threat groups, reads the Arctic Wolf report.
In these sophisticated cyber attacks, threat actors have gained unauthorized entry primarily via compromised “VPN accounts” operating on default “port 4433.”
The attacks originated from “VPS” hosting providers (AS64236 – UnReal Servers, LLC and AS32613 – Leaseweb Canada Inc.).”
Here, the threat actors found exploiting local device authentication rather than centralized “Microsoft Active Directory” integration, and notably, none of the compromised accounts had MFA enabled.
The intrusions were marked by rapid encryption focusing on virtual machine storage and backups alongside strategic “data exfiltration” patterns where general files were limited to six months of data.
Meanwhile, sensitive information from human resources and accounts payable departments saw up to “30 months of data being stolen.”
Activities of the threat actors were logged via message event IDs “238” (WAN zone remote user login allowed) and “1080” (SSL VPN zone remote user login allowed), followed by event ID “1079” indicating successful logins.
Upon gaining access the threat actors delete these firewall logs. The entire attack sequence occurred within several hours leaving organizations with “minimal response time.”
Recommendations
Here below we have mentioned all the recommendations:-
- Regular firmware updates
- VPN login monitoring
- Secure off-site backups
- Robust endpoint activity surveillance
Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!