{"id":5963,"date":"2025-11-27T00:59:02","date_gmt":"2025-11-27T00:59:02","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=5963"},"modified":"2025-11-27T00:59:02","modified_gmt":"2025-11-27T00:59:02","slug":"sonicwall-ransomware-attacks-offer-an-ma-lesson-for-csos","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=5963","title":{"rendered":"SonicWall ransomware attacks offer an M&A lesson for CSOs"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

The recent ransomware attacks on organizations with SonicWall SSL VPNs may teach more lessons than just the need for patch management and identity and access control. Some of the victim firms had vulnerable SonicWall devices on their IT networks as legacies of past mergers or acquisitions, suggesting infosec leaders need to be more involved in preparing for M&A deals or risk their organizations being stung by hackers.<\/p>\n

That\u2019s the conclusion from a report this week by researchers at ReliaQuest.<\/a><\/p>\n

They looked at a series of attacks between June and October using the Akira ransomware strain to target SonicWall SSL VPNs, and found a link: In almost every incident, hackers gained a foothold on an enterprise network by compromising a SonicWall device inherited from a smaller acquired business.<\/p>\n

When asked, ReliaQuest wouldn\u2019t say how many incidents it had investigated. But the report does say that in each case, IT wasn\u2019t aware the devices were currently in their environment.<\/p>\n

\u201cStandard M&A due diligence is not enough,\u201d says the report. \u201cSecurity teams must proactively secure inherited technologies, prioritizing early visibility into new environments, like remote access tools, to address risky configurations and outdated credentials before attackers exploit them.\u201d<\/p>\n

The warning isn\u2019t new. Experts have been saying for years that examining a potential acquisition\u2019s finances isn\u2019t enough. Scrutinizing its IT assets also has to be involved, so boards understand both the financial and the cyber risks of a deal.<\/p>\n

Exhibit A: The discovery in 2018 by Marriott that data on hundreds of millions of guests from the reservation system of its Starwood chain of hotels<\/a> had been stolen. Marriott bought Starwood in 2016. Its network had been infiltrated two years earlier, and the breach was undetected for four years, even after the Marriott acquisition.<\/p>\n

\u201cSecurity leaders do need to be involved in the M&A process,\u201d said Fred Chagnon<\/a>, a principal research director at Info-Tech Research, which did a case study on the Marriott-Starwood incident.<\/p>\n

One reason why CSOs\/CIOs and their equivalents aren\u2019t brought in, he said, is that cyber risk is invisible compared to the hard numbers that can be found in financial records. As a result, \u201cwe\u2019ve had difficulty in this industry in communicating cyber risks as financial liabilities\u201d to CEOs and boards.<\/p>\n

IT leaders have to push the message that security risk is enterprise risk, he said.<\/p>\n

Ultimately, he added, the board has to be reminded that it is responsible for assessing the cyber as well as the financial risks of a deal.<\/p>\n

Related content: Why, and when, CIOs deserve a seat at the M&A negotiating table<\/a><\/strong><\/p>\n

Should infosec leaders be asked to be part of an M&A team, the actual assessment of the potential acquisition should be contracted to a third party expert, Chagnon added. That\u2019s because the security team won\u2019t have time to do it themselves, and the other side will likely be more willing to divulge sensitive IT information to a third party than to a competitor.<\/p>\n

The majority of M&A activities still follow a security checklist approach, noted Ed Dubrovski<\/a>, chief operating officer of incident response firm Cypfer, \u201cwhich essentially is really a glorified third\u00a0party vendor assessment. Such activities meet the check-in-the-box requirements but do nothing really to address the real core of the issue: lack of current and relevant information about possible risks.\u201d\u00a0<\/p>\n

Those doing cybersecurity assessments of a potential acquisition should start with an inventory or list of IT assets before asking if the organization has an information security policy and underlying policies, he added.\u00a0<\/p>\n

After an acquisition, CSOs should treat the new network as a third\u00a0party connection request and keep it segmented until the core risks have been quantified before attempting to integrate environments, he added.<\/p>\n

\u201cThe reality is that the combined risk posture is [only] as good as the riskiest party,\u201d he said.<\/p>\n

The cybersecurity posture of an acquisition should be a high priority for inspection during the due diligence period, agreed Fernando Montenegro<\/a>, vice president and cybersecurity practice lead at advisory firm Futurum, regardless of the size of the business being acquired.<\/p>\n

The security team must be properly connected to the rest of the organization, including the corporate development (corpdev) group that typically spearheads mergers and acquisitions, he said.<\/p>\n

\u201cThe challenge here is that security teams should work with corpdev to have the right framework to analyze these deals, including interviews with key executives at the target company, access to any audit\/compliance documentation, and a thorough look at the digital footprint and internal state of the acquired company.<\/p>\n

Ideally, he added, the program includes both \u2018outside-in\u2019 and \u2018inside-out\u2019 perspectives on the potential acquisition, a thorough review of their security program, history of any security incidents, key third-party relationships they may have, and more.<\/p>\n

On top of that, there will be numerous considerations about what the IT integration will look like, including network connectivity and business application connectivity.<\/p>\n

In its report, ReliaQuest notes that SonicWall devices are often used by small and mid-sized firms, which are often M&A targets of larger companies. However, it said, it can\u2019t be sure firms were targeted by Akira operators because they\u2019d swallowed organizations that had SonicWall devices.<\/p>\n

It did say that in the incidents examined, once inside the victims\u2019 networks, the attackers immediately looked for privileged accounts, such as those originating from old managed service provider (MSP) or administrator logins, that had been transferred over during the M&A process. \u201cCrucially, these credentials were often unknown to the acquiring company, and left unmonitored and unrotated post-acquisition,\u201d the report says.<\/p>\n

We asked ReliaQuest how often vulnerabilities in technology acquired from an M&A cause later breaches of security controls. In response, a spokesperson said, \u201cthe fact that we\u2019ve seen consecutive breaches of Akira targeting smaller organizations where they are leveraging vulnerabilities means that larger organizations should address the risks during onboarding and understand the scope before purchasing.\u201d \u00a0\u00a0<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

The recent ransomware attacks on organizations with SonicWall SSL VPNs may teach more lessons than just the need for patch management and identity and access control. Some of the victim firms had vulnerable SonicWall devices on their IT networks as legacies of past mergers or acquisitions, suggesting infosec leaders need to be more involved in […]<\/p>\n","protected":false},"author":0,"featured_media":5964,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5963","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5963"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5963"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5963\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/5964"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5963"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5963"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5963"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}