An “aggressive” financially motivated risk group tapped right into a zero-day flaw in SonicWall VPN home equipment previous to it being patched by the corporate to deploy a brand new pressure of ransomware referred to as FIVEHANDS.
The group, tracked by cybersecurity agency Mandiant as UNC2447, took benefit of an “improper SQL command neutralization” flaw within the SSL-VPN SMA100 product (, .8) that permits an unauthenticated attacker to realize distant code execution.
“UNC2447 monetizes intrusions by extorting their victims first with FIVEHANDS ransomware adopted by aggressively making use of stress via threats of media consideration and providing sufferer knowledge on the market on hacker boards,” Mandiant researchers. “UNC2447 has been noticed concentrating on organizations in Europe and North America and has constantly displayed superior capabilities to evade detection and decrease post-intrusion forensics.”
CVE-2021-20016 is identicalthat the San Jose-based agency mentioned was exploited by “refined risk actors” to stage a “coordinated assault on its inner methods” earlier this yr. On January 22, The Hacker Information solely that SonicWall had been breached by exploiting “possible zero-day vulnerabilities” in its SMA 100 collection distant entry gadgets.
Profitable exploitation of the flaw would grant an attacker the power to entry login credentials in addition to session data that would then be used to log right into a susceptible unpatched SMA 100 collection equipment.
Based on the FireEye-owned subsidiary, the intrusions are mentioned to have occurred in January and February 2021, with the risk actor utilizing malware referred to asto deploy the FIVEHANDS ransomware. It is price noting that SombRAT was found in November 2020 by BlackBerry researchers along with a marketing campaign referred to as CostaRicto undertaken by a mercenary hacker group.
UNC2447 assaults involving ransomware infections have been first noticed within the wild in October 2020, initially compromising targets withransomware, earlier than swapping it for FIVEHANDS in January 2021. By the way, each the ransomware strains, written in C++, are rewrites of one other ransomware referred to as .
“Based mostly on technical and temporal observations of HelloKitty and FIVEHANDS deployments, HelloKitty might have been utilized by an total associates program from Could 2020 via December 2020, and FIVEHANDS since roughly January 2021,” the researchers mentioned.
FIVEHANDS additionally differs from DeathRansom and HelloKitty in the usage of a memory-only dropper and extra options that permit it to just accept command-line arguments and make the most of Home windows Restart Supervisor to shut a file presently in use previous to encryption.
The disclosure comes lower than two weeks after FireEye divulgedin SonicWall’s electronic mail safety software program that have been actively exploited to deploy an online shell for backdoor entry to the sufferer. FireEye is monitoring this malicious exercise underneath the moniker UNC2682.