An “aggressive” financially motivated menace group tapped right into a zero-day flaw in SonicWall VPN home equipment previous to it being patched by the corporate to deploy a brand new pressure of ransomware referred to as FIVEHANDS.
The group, tracked by cybersecurity agency Mandiant as UNC2447, took benefit of an “improper SQL command neutralization” flaw within the SSL-VPN SMA100 product (CVE-2021-20016, CVSS score 9.8) that enables an unauthenticated attacker to attain distant code execution.
“UNC2447 monetizes intrusions by extorting their victims first with FIVEHANDS ransomware adopted by aggressively making use of stress by threats of media consideration and providing sufferer information on the market on hacker boards,” Mandiant researchers said. “UNC2447 has been noticed focusing on organizations in Europe and North America and has persistently displayed superior capabilities to evade detection and reduce post-intrusion forensics.”
CVE-2021-20016 is identical zero-day that the San Jose-based agency stated was exploited by “refined menace actors” to stage a “coordinated assault on its inside techniques” earlier this yr. On January 22, The Hacker Information completely revealed that SonicWall had been breached by exploiting “possible zero-day vulnerabilities” in its SMA 100 collection distant entry gadgets.
Profitable exploitation of the flaw would grant an attacker the power to entry login credentials in addition to session data that might then be used to log right into a susceptible unpatched SMA 100 collection equipment.
In keeping with the FireEye-owned subsidiary, the intrusions are stated to have occurred in January and February 2021, with the menace actor utilizing malware referred to as SombRAT to deploy the FIVEHANDS ransomware. It is value noting that SombRAT was found in November 2020 by BlackBerry researchers along with a marketing campaign referred to as CostaRicto undertaken by a mercenary hacker group.
UNC2447 assaults involving ransomware infections have been first noticed within the wild in October 2020, initially compromising targets with HelloKitty ransomware, earlier than swapping it for FIVEHANDS in January 2021. By the way, each the ransomware strains, written in C++, are rewrites of one other ransomware referred to as DeathRansom.
“Based mostly on technical and temporal observations of HelloKitty and FIVEHANDS deployments, HelloKitty could have been utilized by an total associates program from Might 2020 by December 2020, and FIVEHANDS since roughly January 2021,” the researchers stated.
FIVEHANDS additionally differs from DeathRansom and HelloKitty in using a memory-only dropper and extra options that enable it to simply accept command-line arguments and make the most of Home windows Restart Supervisor to shut a file at the moment in use previous to encryption.
The disclosure comes lower than two weeks after FireEye divulged three previously unknown vulnerabilities in SonicWall’s e-mail safety software program that have been actively exploited to deploy an internet shell for backdoor entry to the sufferer. FireEye is monitoring this malicious exercise beneath the moniker UNC2682.