An “aggressive” financially motivated menace group tapped right into a zero-day flaw in SonicWall VPN home equipment previous to it being patched by the corporate to deploy a brand new pressure of ransomware known as FIVEHANDS.
The group, tracked by cybersecurity agency Mandiant as UNC2447, took benefit of an “improper SQL command neutralization” flaw within the SSL-VPN SMA100 product (CVE-2021-20016, CVSS score 9.8) that enables an unauthenticated attacker to realize distant code execution.
“UNC2447 monetizes intrusions by extorting their victims first with FIVEHANDS ransomware adopted by aggressively making use of strain by threats of media consideration and providing sufferer information on the market on hacker boards,” Mandiant researchers said. “UNC2447 has been noticed focusing on organizations in Europe and North America and has constantly displayed superior capabilities to evade detection and decrease post-intrusion forensics.”
CVE-2021-20016 is similar zero-day that the San Jose-based agency mentioned was exploited by “subtle menace actors” to stage a “coordinated assault on its inside techniques” earlier this 12 months. On January 22, The Hacker Information completely revealed that SonicWall had been breached by exploiting “possible zero-day vulnerabilities” in its SMA 100 sequence distant entry gadgets.
Profitable exploitation of the flaw would grant an attacker the flexibility to entry login credentials in addition to session data that might then be used to log right into a susceptible unpatched SMA 100 sequence equipment.
Based on the FireEye-owned subsidiary, the intrusions are mentioned to have occurred in January and February 2021, with the menace actor utilizing malware known as SombRAT to deploy the FIVEHANDS ransomware. It is price noting that SombRAT was found in November 2020 by BlackBerry researchers together with a marketing campaign known as CostaRicto undertaken by a mercenary hacker group.
UNC2447 assaults involving ransomware infections had been first noticed within the wild in October 2020, initially compromising targets with HelloKitty ransomware, earlier than swapping it for FIVEHANDS in January 2021. By the way, each the ransomware strains, written in C++, are rewrites of one other ransomware known as DeathRansom.
“Based mostly on technical and temporal observations of HelloKitty and FIVEHANDS deployments, HelloKitty could have been utilized by an total associates program from Could 2020 by December 2020, and FIVEHANDS since roughly January 2021,” the researchers mentioned.
FIVEHANDS additionally differs from DeathRansom and HelloKitty in using a memory-only dropper and extra options that enable it to simply accept command-line arguments and make the most of Home windows Restart Supervisor to shut a file at the moment in use previous to encryption.
The disclosure comes lower than two weeks after FireEye divulged three previously unknown vulnerabilities in SonicWall’s e mail safety software program that had been actively exploited to deploy an internet shell for backdoor entry to the sufferer. FireEye is monitoring this malicious exercise below the moniker UNC2682.