One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8603429 |
| Date de publication | 2024-10-29 19:45:53 (vue: 2024-10-29 20:07:25) |
| Titre | L'Arctic Wolf Labs observe une activité de ransomware de brouillard et de ransomware Akira accrue liée à Sonicwall SSL VPN Arctic Wolf Labs Observes Increased Fog and Akira Ransomware Activity Linked to SonicWall SSL VPN |
| Texte | ## Snapshot Researchers at Arctic Wolf have identified a shift in recent ransomware intrusions, where both Akira and Fog ransomware operators increasingly target SonicWall firewall devices. ## Description Since early August 2024, Arctic Wolf has investigated 30 new intrusions where these ransomware variants exploited vulnerabilities in SonicWall SSL VPN accounts. Akira ransomware was deployed in approximately 75% of these cases, while Fog ransomware accounted for the remaining 25%. During these incidents, the time from initial VPN access to encryption ranged from as short as 1.5 to 2 hours up to nearly 10 hours in some cases. Reviewing firewall logs, Arctic Wolf noted no conclusive evidence of known remote code execution vulnerabilities, but the SonicWall firmware in use often predated patches for [CVE-2024-40766](https://security.microsoft.com/intel-explorer/cves/CVE-2024-40766/), a recent critical vulnerability. Additionally, malicious VPN logins were frequently traced to Virtual Private Server (VPS) providers, often using the same hosting IP addresses across separate Akira and Fog incidents. VPN accounts in these cases were local to the SonicWall devices, lacking multi-factor authentication or integration with centralized systems like Active Directory. Upon gaining access, attackers acted quickly to encrypt data, focusing on virtual machine storage and backups. Ransomware affiliates targeted various data during exfiltration, copying general folders up to six months old and more sensitive HR and accounts payable folders up to 30 months old. The research also noted that Fog ransomware, active since June 2024, has expanded beyond its initial targeting of the education sector to a more opportunistic approach across different industries. [Artic Wolf](https://arcticwolf.com/resources/blog/arctic-wolf-observes-akira-ransomware-campaign-targeting-sonicwall-sslvpn-accounts/) previously reported the exploitation of this vulnerabilty in September 2024. Learn more [here](https://security.microsoft.com/intel-explorer/articles/07f23184). ## Microsoft Analysis and Additional OSINT Context Storm-0844 is a subgroup of [Periwinkle Tempest](https://security.microsoft.com/intel-profiles/c8179cbaf8d47fec52731193e16c25cfd98e2e65d7e20d37c3a5740959798717), also known as TrickBot LLC, a prolific cybercriminal group involved in ransomware operations and is known to deploy [Fog](https://security.microsoft.com/intel-explorer/articles/b474122c) and [Akira](https://security.microsoft.com/intel-profiles/eb747f064dc5702e50e28b63e4c74ae2e6ae19ad7de416902e998677b4ad72ff). Storm-0844 initially deployed Hive ransomware before switching to Royal in late 2022, Akira in June 2023, and Fog by May 2024. ## Recommendations Arctic Wolf emphasizes the importance of maintaining firmware updates, off-site backups, and external log monitoring to guard against similar attacks. Microsoft recommends the following mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations. - Immediately apply [security updates](https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0015) for CVE-2024-40766. - Read our [ransomware as a service blog](https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/#defending-against-ransomware) for advice on developing a holistic security posture to prevent ransomware, including credential hygiene and hardening recommendations. - Turn on [cloud-delivered protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants. - Turn on [tamper protection](https://learn.microsoft.com/microsoft-365/ |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | **© 0015 0844 2022 2023 2024 2024** 365/security/defender 40766 40766/ access access/microsoft accessed accounted accounts accounts/ across acted action active activity additional additionally addresses advanced advice affiliates against age akira alert alerts all allow also analysis and is antivirus any apply approach approximately apps arctic are artic article artifacts attack attacker attackers attacks august authentication authenticator automated backups based before behind beyond block blog both breach breaches but campaign can card cases centralized changes check classes cloud code com/en com/intel com/microsoft com/resources/blog/arctic com/security/blog/2022/05/09/ransomware com/vuln commands common conclusive content context copying copyright cover creations credential criterion critical customers cve cybercrime cybercriminal data defender delivered deploy deployed deployment description detail/snwlid detect detected detection developing devices different directory distribution doesn during early economy edr education effective emphasizes enable encrypt encryption endpoint endpoint/attack endpoint/automated endpoint/configure endpoint/edr endpoint/prevent entire entra equivalent even evidence evolving executable execution exfiltration expanded exploitation exploited explorer/articles/07f23184 explorer/articles/b474122c explorer/cves/cve external factor features files firewall firmware first focusing fog folders following frequently from full gaining general gig global group guard hardening has have here hive holistic hosting hours how https://arcticwolf https://learn https://psirt https://security https://www huge hygiene identified immediate immediately impact importance incidents including increased increasingly industries initial initially integration intrusions investigated investigation investigations involved its june known labs lacking late lateral learn learndoc learning like linked list llc local log logins logs machine maintaining majority malicious may meet methods mfa microsoft mitigations mode monitored monitoring months more movement multi nearly new non noted observes ocid=magicti off often of old on operations operators opportunistic originating osint part passive passwords patches payable periwinkle permission post posture predated prevalence prevent previously private process product profiles/25834dc6253e91bf4faee49069af4572e6306b294039442aa82c048df4995408 profiles/c8179cbaf8d47fec52731193e16c25cfd98e2e65d7e20d37c3a5740959798717 profiles/eb747f064dc5702e50e28b63e4c74ae2e6ae19ad7de416902e998677b4ad72ff prohibited prolific protect protection protections providers psexec quickly ranged ransom ransomware rapidly read recent recommendations recommends reduce reducing reduction refer reference#block reference#use references remaining remediate remediation remote reported reproduction require research researchers reserved resolve response reviewing rights royal rules running run same scenes sector security sensitive separate september server service services settings shift short sight significantly similar since site six snapshot some sonicwall ssl sslvpn stage: status stopping storage storm subgroup surface sweeping switching systems take tamper target targeted targeting techniques tempest thereof these threat threats time tools traced trickbot trusted turn understanding unknown unless updates upon us/entra/identity/authentication/concept us/microsoft us/security/business/identity use used using variants various virtual volume vpn vpn/ vps vulnerabilities vulnerability vulnerabilty when where without wmi wolf works worlf written your yourself/#defending features for in to |
| Tags | Ransomware Tool Vulnerability Threat |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ressemble à 1 autre(s) article(s):
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
|
2024-10-30 15:00:44 | (Déjà vu) Akira Ransomware continue d'évoluer Akira Ransomware Continues to Evolve (lien direct) |
## Instantané Les chercheurs de Cisco Talos ont identifié que le fonctionnement des ransomwares Akira est revenu à ses méthodes de chiffrement précédentes, les combinant avec des tactiques d'extorsion de vol de données. ## Description Les affiliés des ransomwares d'Akira ont exploité de nouvelles vulnérabilités pour l'accès initial, notamment CVE-2024-40766 dans Sonicwall Sonicos, CVE-2020-3259, CVE-2023-20263 et CVE-2023-48788.Le groupe, qui s'était temporairement décalé pour se concentrer uniquement sur l'exfiltration des données, a mis à jour son ransomware pour utiliser le chiffrement du flux Chacha8 pour un chiffrement plus rapide et plus efficace.Ils ont également utilisé des informations d'identification VPN compromises et des appareils de réseau ciblés pour l'entrée. Une fois à l'intérieur, ils déploient des scripts PowerShell pour la récolte des diplômes et l'escalade des privilèges, ainsi que diverses techniques d'évasion de défense.Le ransomware Akira, qui ajoute l'extension ".akira" aux fichiers cryptés et laisse tomber une note de rançon nommée "Akira \ _readme.txt", a été observée pour cibler des organisations dans les secteurs de la fabrication et des services scientifiques et techniques.Le groupe a montré l'adaptabilité en développant un nouvel encryptor Linux et en mettant à jour sa variante Windows, indiquant un retour à l'utilisation des encrypteurs C ++.Ils ont également démontré une focalisation stratégique sur les plates-formes de virtualisation en ciblant les hôtes ESXi et en cryptant le chemin «/ VMFS / Volumes /», ce qui permet le cryptage et les perturbations de masse avec un mouvement latéral minimal.Le groupe Akira devrait continuer à se concentrer sur l'attaque des environnements ESXi et Linux de VMware \\, exploitant leur prévalence dans l'infrastructure d'entreprise pour un impact opérationnel important.Cette tendance s'aligne sur les observations plus larges du paysage des ransomwares, où les adversaires ciblent les plates-formes hébergeant des infrastructures critiques et des données de grande valeur. ## Analyse Microsoft et contexte OSINT supplémentaire Avant le déploiement des ransomwares, les attaquants prennent souvent plusieurs mesures pour se déplacer latéralement, acquérir des informations d'identification et exfiltrate les données.Pour un guide holistique sur la sécurisation de votre organisation à partir des menaces de ransomware, reportez-vous à la [Ransomware-as-a-service] (https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-Service-compréhension-the-cybercririme-gig-economy-and-how-to-protect-yourself / # défendant-against-ransomware). Microsoft évalue qu'Akira est probablement une offre de ransomware fermée & # 8211;Exclusif et non ouvertement commercialisé comme un ransomware en tant que service & # 8211;distribué par un petit nombre d'acteurs de menace.Depuis qu'il a fait surface dans l'écosystème de la cybercriminalité, Microsoft a observé les acteurs de menace suivants utilisant Akira dans leurs opérations de ransomware: - [Storm-0844] (https://security.microsoft.com / Intel-Profiles / 25834DC6253E91BF4FAEE49069AF4572E6306B294039442AA82C048DF4995408), un groupe cybercriminal qui a déplacé des charges salariales de ransomware.De divers écosystèmes de rançon au fil du temps, y compris Hive, Royal à partir de l'automne 2022 et Akira en juin 2023. - Storm-1400, un groupe de cybercrimins qui n'a pas été suivi auparavant par Microsoft, a commencé à déployer Akira en juin 2023. - [Storm-1567] (https: // Security.Microsoft.com/intel-profiles/675EEE77614A60E98BC69CD4177522142E7D283EAAAB5D2107A2E7A53B964AF36), un groupe cybercriminal non suivi précédemment par Microsoft,a commencé à déployer Akira fin mai 2023. ## Recommandations Microsoft recommande les atténuations suivantes pour réduire l'impact de cette menace.Vérifiez la carte de recommandations pour l'état de déploiement des atténuations surveillées. | Ransomware Malware Tool Vulnerability Threat Prediction Technical | ★★★ |