Ethical Hacking News
Cyber threat actors have discovered an easy way to breach large enterprises by exploiting vulnerabilities in their new networks. According to a recent analysis, Akira ransomware crews are using compromised SonicWall devices as entry points for these cyber threats. This article delves into the tactics used by these attackers and highlights the need for improved security measures within organizations.
Akira ransomware crews are exploiting vulnerabilities in SonicWall security devices to gain access to enterprise networks. The attackers use compromised SonicWall SSL VPN appliances as entry points into the acquiring companies' networks. The attackers exploit common vulnerabilities, including: - Zombie privileged credentials
- Default or predictable hostnames
- Lack of endpoint protection
The attackers gain access in an average of 9.3 hours and can encrypt critical systems before detection. The lack of endpoint protection enables the ransomware operators to remain undetected until they have already encrypted critical systems. The use of compromised SonicWall gear as entry points for ransomware operations highlights the need for improved security measures, particularly in endpoint protection and secure configurations of network devices.
Akira ransomware crews have been exploiting vulnerabilities in SonicWall security devices to gain access to enterprise networks, particularly those acquired through mergers and acquisitions. According to a recent analysis by ReliaQuest, these cyber threats are taking advantage of compromised SonicWall SSL VPN appliances to gain entry into the larger acquiring companies' networks.
In every case analyzed by ReliaQuest between June and October, Akira affiliates successfully exploited a series of security holes in the SonicWall gear to infiltrate sensitive systems and navigate towards domain controllers. The attackers used a trifecta of vulnerabilities:
1. Zombie privileged credentials were commonly used as entry points for these ransomware operators.
2. Default or predictable hostnames made it easy for them to identify high-value servers within the enterprise network.
3. A lack of endpoint protection enabled these cyber threats to remain undetected until they had already encrypted critical systems.
The attackers began by exploiting legacy admin credentials, allowing them to access sensitive systems in an average of just 9.3 hours, according to Thomas Higdon, a threat detection firm analyst at ReliaQuest. In some cases, it took as little as five hours or less for the ransomware crew to gain access to the domain controller.
Upon gaining entry into the network, these cyber threats began scanning for hosts with default or predictable names, which made them easy targets for infection by the Akira ransomware operators. This was followed by lateral movement across the enterprise networks in an average of under an hour, all without endpoint detection and response products being enabled.
In cases where there were no unprotected hosts within the network, these cyber threats attempted to disable endpoint security products using Dynamic Link Library (DLL) sideloading techniques. Furthermore, these ransomware operators could easily encrypt systems before defenders had a chance to detect them due to this lack of endpoint protection.
It is worth noting that ReliaQuest was unable to determine if the Akira affiliate operations were specifically targeting companies undergoing mergers and acquisitions or not. However, the analysts did identify a common thread among all the cases: the fact that these ransomware crews were exploiting common vulnerabilities in small- and medium-sized businesses using SonicWall devices.
While the security shop cannot pinpoint the exact motivations behind these attacks, they do offer valuable insights into the tactics used by cyber threats to breach enterprise networks. The use of compromised SonicWall gear as entry points for ransomware operations highlights the need for improved security measures within organizations, particularly when it comes to endpoint protection and secure configurations of network devices.
Related Information:
https://www.ethicalhackingnews.com/articles/Akira-Ransomware-Crews-Exploit-SonicWall-Security-Holes-to-Infect-Enterprise-Networks-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/11/25/akira_ransomware_acquisitions/
https://trivista.com/trivista-insights/private-equity-cybersecurity-why-pe-firms-and-their-portfolio-companies-are-prime-targets-for-cyber-breaches/
https://reliaquest.com/blog/cybersecurity-challenge-in-mergers-and-acquisitions/
Published: Tue Nov 25 16:49:30 2025 by llama3.2 3B Q4_K_M
