Cybercriminals behind the Fog and Akira ransomware groups have been increasingly targeting corporate networks through SonicWall VPN vulnerabilities, specifically exploiting a critical access control flaw identified as CVE-2024-40766. This flaw, which affects SSL VPN access in SonicOS, was patched by SonicWall in late August 2024 but was already under active exploitation just a week later.
Arctic Wolf security researchers report that both Akira and Fog ransomware affiliates have used this vulnerability in over 30 network intrusions. Most cases—75%—were linked to Akira, with the remainder attributed to Fog, suggesting a potential infrastructure-sharing arrangement between the two groups. Although not all breaches confirmed the use of CVE-2024-40766, every affected endpoint was running an unpatched version of SonicOS.
In the reported cases, attackers moved quickly, encrypting data within as little as two hours, particularly targeting virtual machines and backups. Most organizations breached had unpatched VPNs, lacked multi-factor authentication (MFA), and were running services on default ports like 4433, making them more vulnerable to intrusion.
Forensic analysis of firewall logs highlighted telltale signs of attack, including login and IP assignment messages following suspicious SSL VPN access. The stolen data primarily included recent documents and proprietary software, with older files largely ignored.
As Fog ransomware, which launched in May 2024, continues to expand operations, Akira, an established ransomware threat, has faced some Tor network access issues, though these are gradually resolving. Japanese researcher Yutaka Sejiyama estimates that approximately 168,000 SonicWall endpoints remain exposed to this vulnerability globally, with indications that Black Basta ransomware may also be exploiting the same flaw.
