Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Arctic Wolf. Show all posts
Vulnerabilities and Exploits
Akira Ransomware Arctic Wolf Security Breach SonicWall Vulnerabilities and Exploits

Akira Ransomware Wave Targets SonicWall Firewall Devices

 

Cybersecurity firms report a late-July surge of Akira ransomware intrusions against SonicWall firewall devices, with evidence pointing to attackers entering via SonicWall SSL VPN connections and rapidly moving to encrypt data shortly after gaining access. 

While a previously unknown vulnerability is considered highly plausible, researchers have not ruled out credential-based entry methods such as brute force, dictionary attacks, or credential stuffing. Given the uncertainty, defenders are advised to temporarily disable SonicWall SSL VPN, enhance logging and endpoint monitoring, and block VPN authentications from hosting providers until patches or clearer guidance are available. 

Arctic Wolf detected these SonicWall-linked VPN intrusions beginning July 15, noting that malicious logins have a history dating back to at least October 2024, and that attackers often authenticate from virtual private server infrastructure rather than consumer ISPs. Huntress corroborated Arctic Wolf’s findings and shared indicators of compromise, while additional community discussion appeared on Reddit. The campaign highlights a rapid transition from initial VPN access to encryption, consistent with recent Akira activity patterns. 

Additionally, SonicWall urged customers to patch SMA 100 appliances for a separate critical flaw (CVE-2025-40599) that could allow remote code execution if an attacker already has admin rights. Although there was no evidence that CVE-2025-40599 was being exploited, Google’s Threat Intelligence Group reported adversaries using compromised credentials to deploy a new OVERSTEP rootkit on these devices. SonicWall advised SMA 100 customers to check GTIG’s IOCs, scrutinize logs for suspicious access, and contact support if compromise is suspected. 

Akira, active since March 2023, has claimed more than 300 victims on its leak site, including high-profile organizations, and the FBI estimated over $42 million in ransom payments from more than 250 victims as of April 2024. With the current SonicWall-focused wave still under investigation, security teams are urged to harden remote access, enable detailed monitoring, and be prepared for rapid containment if suspicious VPN activity is detected.
Read more »
Ransomware
Arctic Wolf cyber attack Cyber Attacks Data Theft Fog Ransomware Ransomware

New Ransomware Variant "Fog" Targets U.S. Education and Recreation Sectors

Arctic Wolf Labs has identified a new, sophisticated ransomware variant named "Fog," which has been aggressively targeting organizations in the United States, particularly within the education and recreation sectors. This variant came to light following several incident response cases in May and was publicly disclosed in June, raising considerable concerns due to the intricate nature of the attacks. 

Fog ransomware typically infiltrates victim networks using compromised VPN credentials, exploiting vulnerabilities in remote access systems from two different VPN gateway vendors. The attackers gain unauthorized access by leveraging stolen VPN credentials. 

Once inside the network, the attackers employ various techniques, including: Pass-the-hash activity, Credential stuffing, and Deployment of PsExec across multiple systems. The group also utilizes RDP/SMB protocols to reach targeted hosts and disable Windows Defender on Windows Servers to maintain their foothold. Working of Fog Ransomware Fog ransomware operates using a JSON-based configuration block that orchestrates activities both pre- and post-encryption. They deploy PsExec, disable Windows Defender, and systematically query system files, volumes, and network resources before commencing the encryption. 

Additionally, Fog ransomware targets VMDK files in Virtual Machine storage, deletes backups from Veeam object storage, and Windows volume shadow copies. It employs an embedded public key for encryption and appends unique extensions (.FOG and .FLOCKED) to the encrypted files. Unlike many other ransomware types, Fog does not engage in data exfiltration; instead, it focuses on quickly encrypting VM storage data, demanding ransoms for decryption. 

The encryptor binary of the Fog ransomware employs several well-known techniques. First, it creates a log file named DbgLog.sys in the %AppData% directory. Next, it utilizes the NT API to gather system information via the NtQuerySystemInformation function, such as the number of logical processors, to enhance its encryption efficiency. The encryption itself uses outdated Windows APIs like CryptImportKey and CryptEncrypt. After the encryption process is completed, the attackers leave a ransom note, typically called 'readme.txt,' providing instructions for contacting them to obtain decryption keys. 

An analysis of these ransom notes shows that the Fog ransomware group demands ransom payments that can reach hundreds of thousands of dollars, offering decryption keys and assurances of data deletion in return.Organizations, particularly in the education and recreation sectors, should prioritize enhancing their cybersecurity defenses by implementing robust security measures, ensuring the protection and proper management of VPN credentials, and maintaining up-to-date and secure backups to mitigate the potential impact of ransomware attacks.
Read more »
Subscribe to: Posts (Atom)