Routine mergers and acquisitions are giving extortionists an straightforward way in, with Akira affiliates reaching parent networks through compromised SonicWall gear inherited in the deal, according to ReliaQuest.
In every Akira attack the threat detection firm analyzed between June and October that involved buggy SonicWall SSL VPN appliances, the ransomware operators gained access to the largeger, acquiring enterprises becaapply they had already compromised the compacter companies’ SonicWall gear.
“In these cases, the acquiring enterprises were unaware that these devices existed in their new environments, leaving critical vulnerabilities exposed,” ReliaQuest threat intel analyst Thomas Higdon stated in a Tuesday blog.
Over the summer, Akira affiliates exploited buggy SonicWall firewalls and SSL VPN misconfigurations to gain access to vulnerable devices and conduct ransomware and data-stealing attacks.
While the security shop states that it can’t determine if the criminals were purposely tarreceiveing mergers and acquisitions, SonicWall SSL VPN devices are commonly applyd by compact- and medium-sized businesses – and these are the types of companies likely to undergo an acquisition.
Besides having M&A in common, all of the Akira ransomware infections also shared these three things: zombie privileged credentials, default or predictable hostnames, and a lack of finishpoint protection.
So if you don’t want to fall victim to this or other ransomware operations – especially if your company is undergoing mergers and acquisitions – create sure to close up those security gaps in your IT environment.
The Register questioned ReliaQuest how many of these incidents they analyzed and the researchers declined to state.
But we’re informed that in every one of these intrusions, immediately after gaining access to the enterprise network via compromised SonicWall devices, the miscreants started snooping around for privileged accounts transferred over during the acquisition process. These included old managed service provider accounts or legacy admin credentials, all unknown to the acquiring company, and typically left unmonitored and unrotated.
“In the incidents we analyzed, by exploiting a legacy admin credential, Akira operators gained access to sensitive systems and navigated to a domain controller (DC) in an average of just 9.3 hours,” Higdon wrote, adding that in some cases it only took five hours or less.
Next, they scanned networks for hosts with default or predictable names, which built it straightforward for the ransomware crew to identify and infect domain controllers, application servers, and other high-value servers.
Across all of these intrusions, the time from lateral shiftment to ransomware deployment averaged under an hour.
Additionally, in every case, Akira affiliates scanned the enterprise networks for critical hosts without finishpoint detection and response products enabled. In cases where there weren’t any unprotected hosts, they attempted to disable the finishpoint security products utilizing Dynamic Link Library (DLL) sideloading techniques.
This lack of finishpoint security also built it clearer for the criminals to encrypt systems before deffinishers could detect them. ®
Leave a Reply