Beware the Corporate Cyber-Predators: When SonicWall Firewalls Become a Liability
In the world of corporate mergers and acquisitions, a hidden threat lurks, and it's not always what meets the eye. ReliaQuest, a threat detection firm, has uncovered a disturbing trend: cybercriminals are exploiting vulnerabilities in SonicWall firewalls, inherited during routine M&A deals, to gain access to larger enterprise networks. But here's where it gets controversial... these corporate predators are using the very tools meant to protect smaller companies as a backdoor into larger, more lucrative targets.
In a recent analysis, ReliaQuest examined a series of Akira ransomware attacks between June and October. What they found was eye-opening: in every case involving compromised SonicWall SSL VPN appliances, the ransomware operators had already infiltrated the smaller companies' networks, providing a pathway to the larger, acquiring enterprises.
"The acquiring enterprises were often unaware of these devices, leaving critical vulnerabilities exposed," explains Thomas Higdon, a threat intel analyst at ReliaQuest.
Over the summer, Akira affiliates exploited not only buggy SonicWall firewalls but also misconfigured SSL VPNs. This allowed them to access vulnerable devices and launch ransomware and data-stealing attacks. The security shop acknowledges that it's unclear if these criminals were specifically targeting M&A deals, but the common use of SonicWall SSL VPN devices by small and medium-sized businesses makes them an attractive target for acquisition-related attacks.
And this is the part most people miss: all of the Akira ransomware infections shared three key factors. First, they abused privileged credentials, often 'zombie' accounts left over from previous acquisitions or managed service providers. Second, they exploited default or easily predictable hostnames, making it simple to identify and infect critical servers. Lastly, and perhaps most importantly, they took advantage of a lack of endpoint protection, which not only made it easier to encrypt systems but also hindered defenders' ability to detect and respond to the threat.
So, what can be done to prevent falling victim to such attacks, especially during mergers and acquisitions? The answer lies in closing security gaps within your IT environment. By ensuring proper configuration of firewalls, regularly reviewing and rotating credentials, and implementing robust endpoint protection, companies can significantly reduce their risk.
In every intrusion analyzed by ReliaQuest, the miscreants immediately sought out privileged accounts transferred during the acquisition process. These accounts, often left unmonitored and unchanged, provided a direct route to sensitive systems and domain controllers.
The Akira operators, by exploiting legacy admin credentials, gained access to these sensitive systems in an average of just 9.3 hours. In some cases, it took as little as five hours. From there, they scanned networks for default or predictable hostnames, easily identifying and infecting critical servers. The time from initial lateral movement to full-blown ransomware deployment averaged under an hour across all intrusions.
Additionally, Akira affiliates targeted enterprise networks lacking endpoint detection and response products. Where such protections were absent, they attempted to disable them using DLL sideloading techniques. This lack of endpoint security not only facilitated the encryption of systems but also hindered the ability of defenders to detect and respond to the threat in a timely manner.
So, the question remains: how can we better protect our corporate networks from such sophisticated and targeted attacks? Share your thoughts and experiences in the comments below. Let's spark a discussion and learn from each other to stay one step ahead of these corporate cyber-predators.
