Article Details

Acquired firms turned into ransomware bait inside parent companies via porous SonicWalls. Acquirers inherit more than staff and systems. Routine mergers and acquisitions are giving extortionists an easy way in, with Akira affiliates reaching parent networks through compromised SonicWall gear inherited in the deal, according to ReliaQuest. In every Akira attack the threat detection firm analyzed between June and October that involved buggy SonicWall SSL VPN appliances, the ransomware operators gained access to the bigger, acquiring enterprises because they had already compromised the smaller companies' SonicWall gear.  "In these cases, the acquiring enterprises were unaware that these devices existed in their new environments, leaving critical vulnerabilities exposed," ReliaQuest threat intel analyst Thomas Higdon said in a Tuesday blog. Over the summer, Akira affiliates exploited buggy SonicWall firewalls and SSL VPN misconfigurations to gain access to vulnerable devices and conduct ransomware and data-stealing attacks. While the security shop says that it can't determine if the criminals were purposely targeting mergers and acquisitions, SonicWall SSL VPN devices are commonly used by small- and medium-sized businesses - and these are the types of companies likely to undergo an acquisition. Besides having M&A in common, all of the Akira ransomware infections also shared these three things: zombie privileged credentials, default or predictable hostnames, and a lack of endpoint protection.  So if you don't want to fall victim to this or other ransomware operations - especially if your company is undergoing mergers and acquisitions - make sure to close up those security gaps in your IT environment. The Register asked ReliaQuest how many of these incidents they analyzed and the researchers declined to say.  But we're told that in every one of these intrusions, immediately after gaining access to the enterprise network via compromised SonicWall devices, the miscreants started snooping around for privileged accounts transferred over during the acquisition process. These included old managed service provider accounts or legacy admin credentials, all unknown to the acquiring company, and typically left unmonitored and unrotated. "In the incidents we analyzed, by exploiting a legacy admin credential, Akira operators gained access to sensitive systems and navigated to a domain controller (DC) in an average of just 9.3 hours," Higdon wrote, adding that in some cases it only took five hours or less.  Next, they scanned networks for hosts with default or predictable names, which made it easy for the ransomware crew to identify and infect domain controllers, application servers, and other high-value servers. Across all of these intrusions, the time from lateral movement to ransomware deployment averaged under an hour. Additionally, in every case, Akira affiliates scanned the enterprise networks for critical hosts without endpoint detection and response products enabled. In cases where there weren't any unprotected hosts, they attempted to disable the endpoint security products using Dynamic Link Library (DLL) sideloading techniques.  This lack of endpoint security also made it easier for the criminals to encrypt systems before defenders could detect them.