An “aggressive” economically motivated threat group tapped into a zero-day flaw in SonicWall VPN appliances prior to it being patched by the organization to deploy a new pressure of ransomware identified as FIVEHANDS.
The group, tracked by cybersecurity agency Mandiant as UNC2447, took gain of an “poor SQL command neutralization” flaw in the SSL-VPN SMA100 product or service (CVE-2021-20016, CVSS score 9.8) that enables an unauthenticated attacker to accomplish remote code execution.
“UNC2447 monetizes intrusions by extorting their victims initially with FIVEHANDS ransomware followed by aggressively implementing strain through threats of media attention and providing sufferer facts for sale on hacker message boards,” Mandiant researchers claimed. “UNC2447 has been observed targeting corporations in Europe and North America and has constantly exhibited sophisticated abilities to evade detection and limit write-up-intrusion forensics.”
CVE-2021-20016 is the identical zero-day that the San Jose-dependent company reported was exploited by “advanced risk actors” to stage a “coordinated attack on its internal techniques” previously this calendar year. On January 22, The Hacker Information solely revealed that SonicWall had been breached by exploiting “probable zero-working day vulnerabilities” in its SMA 100 sequence remote obtain units.
Thriving exploitation of the flaw would grant an attacker the ability to obtain login qualifications as nicely as session facts that could then be utilised to log into a vulnerable unpatched SMA 100 series equipment.
In accordance to the FireEye-owned subsidiary, the intrusions are mentioned to have happened in January and February 2021, with the threat actor working with malware known as SombRAT to deploy the FIVEHANDS ransomware. It truly is worth noting that SombRAT was uncovered in November 2020 by BlackBerry scientists in conjunction with a marketing campaign called CostaRicto undertaken by a mercenary hacker team.
UNC2447 attacks involving ransomware bacterial infections ended up initially noticed in the wild in Oct 2020, at first compromising targets with HelloKitty ransomware, ahead of swapping it for FIVEHANDS in January 2021. By the way, both the ransomware strains, composed in C++, are rewrites of another ransomware termed DeathRansom.
“Centered on specialized and temporal observations of HelloKitty and FIVEHANDS deployments, HelloKitty may have been applied by an general affiliate system from Could 2020 by means of December 2020, and FIVEHANDS because about January 2021,” the researchers mentioned.
FIVEHANDS also differs from DeathRansom and HelloKitty in the use of a memory-only dropper and extra features that permit it to take command-line arguments and employ Windows Restart Supervisor to close a file now in use prior to encryption.
The disclosure arrives fewer than two months immediately after FireEye divulged 3 earlier not known vulnerabilities in SonicWall’s electronic mail protection software package that ended up actively exploited to deploy a web shell for backdoor obtain to the target. FireEye is tracking this malicious exercise less than the moniker UNC2682.