Fraud Management & Cybercrime,
Network Firewalls, Network Access Control,
Ransomware
Experts Warn: Companies Acquiring SSL VPNs During M&A Are Vulnerable
A recent surge in ransomware attacks has led to a concerning trend where cybercriminals target SSL VPN devices typically used by smaller businesses. This strategy has gained traction as these devices are inherited by larger corporations through mergers and acquisitions (M&A), rendering them vulnerable to exploitation.
Prominent among these attackers is the Akira ransomware group, which has capitalized on the misconfigurations and bugs prevalent in SonicWall devices. Initially designed for small- and medium-sized enterprises, when these devices become integrated into larger networks, they transform into high-value targets for cybercriminals. According to a report by cybersecurity firm ReliaQuest, these acquisitions can unintentionally broaden the attack surface for would-be intruders.
Data breaches associated with inherited IT environments have repeatedly underscored the cybersecurity risks faced by organizations undergoing M&A. Experts recommend that companies perform comprehensive asset inventories of any IT infrastructure they absorb during acquisitions, ensuring robust security measures are in place.
ReliaQuest’s analysis, covering Akira’s activities from June to October, revealed that attackers often gained initial access via vulnerabilities in SonicWall devices. They then sought out privileged credentials that typically remain hidden from the acquiring organization. This practice demonstrates a critical gap in security awareness, as many credentials remained unmonitored and unchanged after the acquisition.
The average time it took for these attackers to escalate their access to sensitive areas, such as domain controllers, was approximately 9.3 hours, with some breaches occurring in as little as five hours. However, it remains uncertain whether the targeting of these firms is a strategic pursuit or simply coincidental. The lack of vigilance around privileged account management post-acquisition can allow attackers to swiftly exploit weaknesses.
ReliaQuest’s report did not specify which particular vulnerabilities were exploited by attackers affiliated with Akira. However, previous alerts from cybersecurity firm Rapid7 indicated that the group was focusing on CVE-2024-40766, a severe improper access control flaw in SonicWall’s SonicOS, which allows for remote code execution that can compromise the entire device.
Concerns Over CVE-2024-40766
SonicWall had addressed this vulnerability for its Gen 5, Gen 6, and Gen 7 firewalls in August 2024, yet many devices remain unpatched, especially older models no longer receiving updates. As noted, Akira has actively exploited this flaw since mid-2024, alongside other hackers such as those from the Fog ransomware group.
Security experts have raised alarms about compromised devices that have received updates but failed to secure their administrator credentials. SonicWall has advised that users should implement several measures, including resetting passwords for local accounts, particularly for devices migrating from Gen 6 to Gen 7 firewalls where old credentials may inadvertently transfer during the transition.
Acknowledging the threat landscape, SonicWall has released updated firmware to enhance device security and mitigate brute-force attacks. Best practices also encourage enabling multi-factor authentication, logging relevant login events, and restricting access management to trusted sources, which adds layers of protection against these ongoing threats.
