216.73.217.22

Increased Fog and Akira Ransomware Activity Linked to SonicWall SSL VPN

· Published 24/10/2024 18:23 · Modified 24/10/2024 20:22

Export JSON

Essential information

Published
24/10/2024 18:23
Modified
24/10/2024 20:22
Tags
2024-10-24 CVE-2024-40766 akira data exfiltration fog initial access ransomware sonicwall vpn
Related entities
1 vulnerabilities (cve), 16 observables, 22 techniques (mitre), 2 malware

Description

Since early August, there has been a significant increase in and intrusions targeting SSL users across various industries. The attacks appear opportunistic rather than targeting specific sectors. All affected devices lacked patches for . involved logins from VPS hosting IPs, with rapid progression to data encryption and exfiltration, often within hours. Shared infrastructure was observed across multiple intrusions. Defenders are advised to prioritize firmware updates, monitor for suspicious logins, maintain secure offsite backups, and watch for post-compromise activities on endpoints.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Vulnerabilities (CVE) (1)

CVE-2024-40766 KEV
9.8 Critical

An improper access control vulnerability has been identified in the SonicWall SonicOS management access, potentially leading to unauthorized resource access and in …

Attack vector
Network
Published
09/09/2024
Modified
21/12/2025
Analyzed

Observables (16)

  • 66.181.33.32
  • 45.11.59.16
  • dbde2858580ec4f3484e91a42483cccdee2d243a5bb66a190f7363b129c02751
  • d7e11b178fcc3d1ee7f6ad3dce6da2ea043de64d521cf3578fb09031cbdb0ae2
  • bed33c3732307e19e9a702e7ff179180a7891b92cb879a5b758021eefc68a99b
  • b5268f32fb72dfcfc1109c4a305d3a4bac11a5815123659cd345b24dee0854eb
  • 76491df69a26019139ac11117cd21bf5d0257a5ebd3d67837f558c8c9c3483d8
  • 746475f67cd3456551c5cd9c6205c9754b2aef17472af1b40d41904df2337a2b
  • 64c154ab8d7962fc7beeb2eb8b3893bbfb0badefc96eaafcfd0a9adc17720bff
  • 47204338f0e092057024c9186f228c02417e917777f3e841d52b58251a956a74
  • 45126297c07c6ef56b51440cd0dc30acf7b3b938e2e9e656334886fe2f81f220
  • 26d5748ffe6bd95e3fee6ce184d388a1a681006dc23a0f08d53c083c593c193b
  • 1c73160acc17f8c2b996b91e3f34578b7964223bb3ac76fbc586af2d550f070c
  • 18b967bd7a44f60521dd123dea0daf278572089b558b2e5632a6c06d9aad4529
  • 9c5b233efb2e2a92a65b5ee31787281dd043a342c80c7ac567ccf43be2f2843f
  • a8a7fdbbc688029c0d97bf836da9ece926a85e78986d0e1ebd9b3467b3a72258

Techniques (MITRE) (22)

  • T1021.002
    SMB/Windows Admin Shares
  • T1567.002
    Exfiltration to Cloud Storage
  • T1078.002
    Domain Accounts
  • T1021.001
    Remote Desktop Protocol
  • T1048
    Exfiltration Over Alternative Protocol
  • T1048.003
    Exfiltration Over Unencrypted Non-C2 Protocol
  • T1490
    Inhibit System Recovery
  • T1482
    Domain Trust Discovery
  • T1560.001
    Archive via Utility
  • T1059.003
    Windows Command Shell
  • T1567
    Exfiltration Over Web Service
  • T1555
    Credentials from Password Stores
  • T1021
    Remote Services
  • T1486
    Data Encrypted for Impact
  • T1570
    Lateral Tool Transfer
  • T1046
    Network Service Discovery
  • T1219
    Remote Access Tools
  • T1560
    Archive Collected Data
  • T1133
    External Remote Services
  • T1078
    Valid Accounts
  • T1003
    OS Credential Dumping
  • T1059
    Command and Scripting Interpreter

Malware (2)

  • FoggyWeb - S0661
    Family
    Published 17/06/2025 18:18 · Modified 17/06/2025 18:18
  • Akira
    Family
    Published 12/06/2026 16:57 · Modified 12/06/2026 16:57

External references