Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Arctic Wolf. Show all posts
cybersecurity research
Akira Akira Ransomware Arctic Wolf Arctic Wolf security research CVE CVEs Cyber Attacks Cyber Security Ransomware Attacks cybersecurity research

Akira Ransomware Bypasses MFA in Ongoing Attacks on SonicWall SSL VPN Devices

 

The Akira ransomware group continues to evolve its attacks on SonicWall SSL VPN devices, with researchers warning that the threat actors are managing to log into accounts even when one-time password (OTP) multi-factor authentication (MFA) is enabled. Cybersecurity firm Arctic Wolf reported that attackers appear to be exploiting previously stolen OTP seeds or a similar method to bypass MFA, though the exact technique remains unclear. 

Earlier this year, Akira was observed exploiting SonicWall SSL VPN devices to breach corporate networks. Initially, researchers suspected a zero-day vulnerability was involved. However, SonicWall later attributed the incidents to an improper access control flaw identified as CVE-2024-40766, disclosed in September 2024. The flaw had been patched in August 2024, but attackers continued to exploit stolen credentials from compromised devices even after updates were applied. SonicWall advised administrators to reset all VPN credentials and update to the latest SonicOS firmware.  

The latest Arctic Wolf findings reveal a persistent campaign in which multiple OTP challenges were triggered before successful logins, implying that attackers may be generating valid OTP tokens using previously harvested OTP seeds. The company confirmed that these logins were linked to devices affected by CVE-2024-40766, suggesting that stolen credentials remain a key entry point.

In a related investigation, Google’s Threat Intelligence Group (GTIG) observed a similar campaign in July, where a financially motivated group known as UNC6148 deployed the OVERSTEP rootkit on SonicWall SMA 100 series appliances. GTIG assessed that the attackers were using stolen one-time password seeds from earlier zero-day intrusions, allowing continued access even after organizations patched their systems. 

Once Akira gained access to networks, the attackers moved rapidly, often initiating internal scans within minutes. According to Arctic Wolf, they used Impacket SMB session requests, Remote Desktop Protocol (RDP) logins, and Active Directory enumeration tools like dsquery, SharpShares, and BloodHound to expand their reach. A major focus was on Veeam Backup & Replication servers, where a custom PowerShell script extracted and decrypted stored MSSQL and PostgreSQL credentials. 

To disable endpoint protection, Akira affiliates executed a Bring-Your-Own-Vulnerable-Driver (BYOVD) attack, using Microsoft’s legitimate consent.exe executable to sideload malicious DLLs that deployed vulnerable drivers such as rwdrv.sys and churchill_driver.sys. These drivers were then used to terminate security processes, enabling the ransomware to encrypt systems undetected. 

The report notes that some compromised systems were running SonicOS 7.3.0, the very version recommended by SonicWall to mitigate such attacks. Security experts urge all administrators to reset VPN credentials and review access logs on any devices that previously used vulnerable firmware, as threat actors may still exploit stolen data to infiltrate networks.
Read more »
Vulnerabilities and Exploits
Akira Ransomware Arctic Wolf Security Breach SonicWall Vulnerabilities and Exploits

Akira Ransomware Wave Targets SonicWall Firewall Devices

 

Cybersecurity firms report a late-July surge of Akira ransomware intrusions against SonicWall firewall devices, with evidence pointing to attackers entering via SonicWall SSL VPN connections and rapidly moving to encrypt data shortly after gaining access. 

While a previously unknown vulnerability is considered highly plausible, researchers have not ruled out credential-based entry methods such as brute force, dictionary attacks, or credential stuffing. Given the uncertainty, defenders are advised to temporarily disable SonicWall SSL VPN, enhance logging and endpoint monitoring, and block VPN authentications from hosting providers until patches or clearer guidance are available. 

Arctic Wolf detected these SonicWall-linked VPN intrusions beginning July 15, noting that malicious logins have a history dating back to at least October 2024, and that attackers often authenticate from virtual private server infrastructure rather than consumer ISPs. Huntress corroborated Arctic Wolf’s findings and shared indicators of compromise, while additional community discussion appeared on Reddit. The campaign highlights a rapid transition from initial VPN access to encryption, consistent with recent Akira activity patterns. 

Additionally, SonicWall urged customers to patch SMA 100 appliances for a separate critical flaw (CVE-2025-40599) that could allow remote code execution if an attacker already has admin rights. Although there was no evidence that CVE-2025-40599 was being exploited, Google’s Threat Intelligence Group reported adversaries using compromised credentials to deploy a new OVERSTEP rootkit on these devices. SonicWall advised SMA 100 customers to check GTIG’s IOCs, scrutinize logs for suspicious access, and contact support if compromise is suspected. 

Akira, active since March 2023, has claimed more than 300 victims on its leak site, including high-profile organizations, and the FBI estimated over $42 million in ransom payments from more than 250 victims as of April 2024. With the current SonicWall-focused wave still under investigation, security teams are urged to harden remote access, enable detailed monitoring, and be prepared for rapid containment if suspicious VPN activity is detected.
Read more »
Ransomware
Arctic Wolf cyber attack Cyber Attacks Data Theft Fog Ransomware Ransomware

New Ransomware Variant "Fog" Targets U.S. Education and Recreation Sectors

Arctic Wolf Labs has identified a new, sophisticated ransomware variant named "Fog," which has been aggressively targeting organizations in the United States, particularly within the education and recreation sectors. This variant came to light following several incident response cases in May and was publicly disclosed in June, raising considerable concerns due to the intricate nature of the attacks. 

Fog ransomware typically infiltrates victim networks using compromised VPN credentials, exploiting vulnerabilities in remote access systems from two different VPN gateway vendors. The attackers gain unauthorized access by leveraging stolen VPN credentials. 

Once inside the network, the attackers employ various techniques, including: Pass-the-hash activity, Credential stuffing, and Deployment of PsExec across multiple systems. The group also utilizes RDP/SMB protocols to reach targeted hosts and disable Windows Defender on Windows Servers to maintain their foothold. Working of Fog Ransomware Fog ransomware operates using a JSON-based configuration block that orchestrates activities both pre- and post-encryption. They deploy PsExec, disable Windows Defender, and systematically query system files, volumes, and network resources before commencing the encryption. 

Additionally, Fog ransomware targets VMDK files in Virtual Machine storage, deletes backups from Veeam object storage, and Windows volume shadow copies. It employs an embedded public key for encryption and appends unique extensions (.FOG and .FLOCKED) to the encrypted files. Unlike many other ransomware types, Fog does not engage in data exfiltration; instead, it focuses on quickly encrypting VM storage data, demanding ransoms for decryption. 

The encryptor binary of the Fog ransomware employs several well-known techniques. First, it creates a log file named DbgLog.sys in the %AppData% directory. Next, it utilizes the NT API to gather system information via the NtQuerySystemInformation function, such as the number of logical processors, to enhance its encryption efficiency. The encryption itself uses outdated Windows APIs like CryptImportKey and CryptEncrypt. After the encryption process is completed, the attackers leave a ransom note, typically called 'readme.txt,' providing instructions for contacting them to obtain decryption keys. 

An analysis of these ransom notes shows that the Fog ransomware group demands ransom payments that can reach hundreds of thousands of dollars, offering decryption keys and assurances of data deletion in return.Organizations, particularly in the education and recreation sectors, should prioritize enhancing their cybersecurity defenses by implementing robust security measures, ensuring the protection and proper management of VPN credentials, and maintaining up-to-date and secure backups to mitigate the potential impact of ransomware attacks.
Read more »
Subscribe to: Posts (Atom)