In late August, researchers with IronNet discovered a likely China-based threat actor that had infiltrated a U.S. software company through a troubling avenue: Legacy infrastructure from a company acquisition several years prior.
The threat actor used compromised VPN credentials to gain initial access to a compartmentalized segment of the business before deploying the Shack2 and China Chopper web shells. That segment, which contained unpatched, legacy systems like file servers, data repositories and consumer and transaction databases, belonged to a company that had been acquired by the unnamed targeted organization in 2014. Researchers in an analysis said they believe the attackers were on the networks for weeks or even months, conducting staging activity for further future exploitation with a possible end goal of stealing data or finding a pivot point to access production environments.
The incident points to the underlying security risks inherent in company merger and acquisition (M&A) activity, which has continued at a strong pace after the pandemic, with volumes increasing 64 percent year-over-year in 2021. Any time a company is going through any sort of change, it makes them particularly vulnerable to cyberattacks, say security experts - but the inherent complexity, speed and secrecy across the acquisitions process makes this landscape particularly lucrative for threat actors.
“The M&A space is a target with high financial stakes,” said Jason Button, director of Security and Trust M&A with Cisco. “Acquisitions made by large companies usually call for front page attention and that can make the acquired company a target. Hypothetically, take the scenario in which the parent and acquired companies prematurely connect their networks and or share sensitive data. If the acquired company has poor security, it could be an easy jumping off point to the parent company for much more valuable information.”
The impact of cybersecurity weaknesses or incidents at organizations is playing a bigger factor during the M&A process, with a 2019 Forescout survey revealing that 81 percent of IT and business decision makers were focused more on the acquisition target’s cybersecurity posture than in the past. Meanwhile, more than half of respondents said they had encountered a critical security issue or incident during an M&A deal that put the deal into jeopardy, showing that security weaknesses are having impacts on deals themselves. After a spate of data breaches was disclosed at Yahoo in 2016, for instance, Verizon in 2017 ended up acquiring the company for $350 million less than originally planned.
“Every environment is different, every acquisition is different, and many times you're navigating not only business strategy but emotional strategy,” said Button. “When it’s made public that a company is being acquired, it can make it a much larger target for bad actors. It is critical to plan and execute security improvements quickly.”
"If the acquired company has poor security, it could be an easy jumping off point to the parent company for much more valuable information.”
The M&A lifecycle has several stages that at a high level span the initial screening of a company and start of negotiations, the pre-announcement stage, signing and finalizing of the deal and the final integration.
During all of these phases, there are several steps that an acquiring company must make to determine the target organization’s security posture. Before the actual negotiations, when the acquiring company is going through its initial screening of the target company, it needs to identify the security and privacy risks of the company by conducting a detailed risk assessment and scoping out any early indicators of risk based on publicly available information, for instance. During the timeframe between pre-announcement to the signing of the deal, acquiring companies also need to conduct more active threat hunting and penetration tests after the deal is legally signed, and review processes to make sure they are aligned with their own security policies in place.
Visibility is key when approaching these different M&A stages so that the acquiring company can better understand the data that needs to be protected - whether it’s IP, credit card data, or GDPR-regulated information, for instance - and what the risks are that need to be managed.
However, M&A processes are often fast-moving, making it difficult to perform due diligence around important security measures and requirements. According to the Forescout survey, only 36 percent of respondents strongly agreed that their IT teams were given adequate time to review targets’ cybersecurity standards, processes and protocols before completing an acquisition.
The challenge around cybersecurity during the M&A process is also exacerbated by a lack of upfront communication that keeps key teams in the loop - including security teams - as well as important documentation that gives insight into this security posture.
Businesses often make the critical error of keeping security teams in the dark that an M&A is being explored, said James Christiansen, Netskope’s vice president of cloud security transformation and leader of the Global Chief Strategy Office. Security experts are engaged, along with the broader team, after the letter of intent is signed, but by then it’s too late to bring in these experts and fully understand the security posture of the target company as early as possible, he said.
“When going through that first phase of due diligence - before you get to the letter of intent and signatures - the acquiring company often is very very secretive about the fact that they’re going to be acquired,” said Christiansen. “It’s hard to get any real solid data out of them. Sometimes they’ll involve the chief security officer, and show their vulnerability reports and pen test results, but that’s the best you’ll get.”
“When it’s made public that a company is being acquired, it can make it a much larger target for bad actors. It is critical to plan and execute security improvements quickly.”
Morgan Demboski, threat intelligence analyst with IronNet, said that another top challenge for organizations acquiring another company is a lack of insight into documented assets, such as cybersecurity artifacts, technical documentation, and asset and data inventory.
“In the case we detected, the threat actors specifically targeted a network segment that was integrated through a prior company acquisition and contained legacy infrastructure,” said Bemboski. “Since this acquisition happened several years prior, there was likely not proper protocols and documentation in terms of technical infrastructure during the acquisition, and the network segment was likely forgotten about by the victim enterprise as a result. Though we do not know exactly how long the threat actor had access to the environment, it is apparent they were targeting the acquired network segment for a reason, likely to exploit the unmonitored legacy infrastructure within it.”
The processes needed to better understand key security risks facing a target company don’t end after an acquisition deal is signed and announced. For instance, Demboski said that when approaching the final integration phase, organizations must have a comprehensive integration strategy, as a lack of protocols can leave large security gaps when converging network systems. That includes dedicating time to asset/data identification, training, and planning the integration strategy to ensure nothing slips through the cracks, said Demboski, as well as establishing a governance model for ongoing incident handling and remediating any outstanding unpatched vulnerabilities.
The establishment of a security culture is one of the most important - and challenging - aspects of this integration phase, as different companies may have different views of the level of risk that they’re willing to take.
“It’s tough to change a culture,” said Christiansen. “In security we’re always looking at how we create a better, more aware culture. But when it comes to culture, it’s really interesting because at the business level there will be two cultures between the [acquiring and acquired] businesses. There might be a more risk averse and risk taking company. So you’ll start articulating those goals and getting them trained on your programs and what you expect. It’s all about encouraging behaviors.”
Across all these various stages of the M&A process, transparency is paramount, and both sides need to set clear expectations early on about priorities and how the companies are going to integrate, said Cisco’s Button.
“I can't stress that enough,” said Button. “Without this both sides will struggle from day one. After that, it's all about identifying, preferably before announcement, any vulnerabilities that need to be resolved in the acquiree’s people, process, or systems. Any or all three can be weak points that will need shoring up immediately.”