Ethical Hacking News
The recent surge in Akira ransomware attacks has brought attention to the vulnerabilities of enterprise networks, particularly those that have undergone mergers and acquisitions. By exploiting compromised SonicWall firewalls and SSL VPN misconfigurations, attackers can quickly gain access to sensitive systems and conduct devastating attacks.
Enterprises with merged networks are vulnerable to ransomware attacks through compromised SonicWall firewalls and SSL VPN misconfigurations. The attackers exploited zombie privileged credentials, default or predictable hostnames, and a lack of endpoint protection to gain access to sensitive systems. The average time from lateral movement to ransomware deployment was under an hour, highlighting the speed of attacker movement through networks. Companies must prioritize closing security gaps in their networks during mergers and acquisitions, including enabling endpoint security products and implementing robust threat detection and response strategies.
The recent surge in ransomware attacks has brought attention to the vulnerabilities of enterprise networks, particularly those that have undergone mergers and acquisitions. According to a report by ReliaQuest, a threat detection firm, Akira affiliate ransomware operators have been exploiting compromised SonicWall firewalls and SSL VPN misconfigurations to gain access to vulnerable devices and conduct ransomware and data-stealing attacks.
The study analyzed 15 Akira ransomware incidents between June and October, which involved buggy SonicWall SSL VPN appliances. In every case, the threat detection firm found that the ransomware operators gained access to the bigger, acquiring enterprises because they had already compromised the smaller companies' SonicWall gear.
"In these cases, the acquiring enterprises were unaware that these devices existed in their new environments, leaving critical vulnerabilities exposed," said Thomas Higdon, a ReliaQuest threat intel analyst. "We found that every one of these incidents involved zombie privileged credentials, default or predictable hostnames, and a lack of endpoint protection."
The attackers exploited the vulnerabilities to gain access to sensitive systems and navigate to domain controllers in an average of just 9.3 hours. They then scanned networks for hosts with default or predictable names, which made it easy for them to identify and infect high-value servers.
In cases where there weren't any unprotected hosts, they attempted to disable endpoint security products using Dynamic Link Library (DLL) sideloading techniques. This lack of endpoint security also made it easier for the criminals to encrypt systems before defenders could detect them.
The study found that across all 15 incidents, the time from lateral movement to ransomware deployment averaged under an hour. This highlights the speed at which attackers can move laterally through a network and deploy ransomware once they have gained access.
The recent surge in Akira ransomware attacks is a stark reminder of the importance of closing security gaps in enterprise networks, particularly those that have undergone mergers and acquisitions. As Higdon noted, "We can't determine if the criminals were purposely targeting mergers and acquisitions, but we do know that SonicWall SSL VPN devices are commonly used by small- and medium-sized businesses, which are often the types of companies that undergo an acquisition."
As companies navigate the challenges of mergers and acquisitions, they must prioritize closing security gaps in their networks. This includes ensuring that endpoint security products are enabled, monitoring for default or predictable hostnames, and implementing robust threat detection and response strategies.
The recent report by ReliaQuest serves as a warning to organizations that have not taken adequate steps to secure their networks against ransomware attacks. By exploiting vulnerabilities such as compromised SonicWall firewalls and SSL VPN misconfigurations, attackers can quickly gain access to sensitive systems and conduct devastating attacks.
As the threat landscape continues to evolve, it is essential for organizations to prioritize security awareness and implement robust security measures to protect themselves against ransomware attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/Akira-Ransomware-How-Compromised-SonicWall-Devices-Are-Leaving-Enterprise-Networks-Vulnerable-to-Extortion-Attacks-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/11/25/akira_ransomware_acquisitions/
https://corpgov.law.harvard.edu/2023/05/25/venture-predation/
https://www.ineteconomics.org/perspectives/blog/how-economists-turned-corporations-into-predators
Published: Tue Nov 25 17:15:55 2025 by llama3.2 3B Q4_K_M
