heise PlusAbo
Anzeige

Ransomware attacks on Sonicwall SSL VPNs

IT researchers have investigated attacks on Sonicwall SSL VPNs and discovered Akira and Fog ransomware activity.

listen Print view
Heavily armed criminals stand around servers displaying encryption symbols. People sit around them with laptops.

(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)

3 min. read
Security
By

The IT security researchers at Arctic Wolf have observed increased activity of the Akira and Fog ransomware. They have abused vulnerabilities in Sonicwall's SSL VPNs to gain access to networks.

In a detailed analysis, Arctiv Wolf analysts discuss that they have observed at least 30 intrusions with Akira and Fog across all possible industries since early August. What they all have in common is that Sonicwall's SSL VPN appears early in the chain of events.

Attackers from hosting networks

As the IT researchers explain, the malicious VPN log-ins came from networks associated with VPS (Virtual Private Server) hosting. This suggests that either machines at the hosting providers were hacked and misused, or possibly rented directly by the cybercriminals. The IP addresses provided a good starting point for the defense against the attacks to detect and block them.

Videos by heise

The Sonicwall devices through which the perpetrators were able to break in were all unpatched against the CVE-2024-40766 vulnerability – with a CVSS score of 9.3, it is considered a critical risk. At the beginning of September, Sonicwall warned that this vulnerability in SSL VPNs was already being actively attacked and once again pointed out the updates available to plug the security leak. However, Arctic Wolf cannot say for certain whether it is actually this vulnerability that was abused in the ransomware attacks –, but the patch status at least provides an indication.

The attacked SSL VPN accounts were set up locally on the Sonicwall devices and not managed with centralized authentication software such as Microsoft's Active Directory. Instances on which multi-factor authentication was enabled were not found among the compromised accounts. Although some messages with INFO severity were found, the attackers usually tried to delete the firewall logs after gaining unauthorized access.

Arctic Wold classifies the period from the intrusion to the encryption with ransomware as short. In most cases, the encryption took place on the same day as the network intrusion, in some cases only a few hours later. The attackers exfiltrated data and showed particular interest in potentially more sensitive documents from the HR or finance departments, from which they extracted data up to 30 months old; more general documents or applications were apparently only interesting up to around six months in the past.

At the end of the analysis, the IT security researchers provide detailed Indicators of Compromise (IOCs), i.e. evidence of a successful attack. This can help admins to examine their systems for potential attacks.

(dmk)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten