Hackers used SonicWall zero-day flaw to plant ransomware

Ransomware group UNC2447 used an SQL injection bug to attack US and European orgs

Security researchers have discovered a new strain of ransomware designed to exploit a SonicWall VPN zero-day vulnerability before a patch was available.

Related Resource

The business guide to ransomware

Everything you need to know to keep your company afloat

The business guide to ransomware - whitepaper from DattoDownload now

According to researchers at Mandiant, the flaw exists in SonicWall’s SMA-100 series of VPN products. Hackers, who Mandiant dubbed UNC2447, targeted organizations in Europe and North America with a new ransomware known as FiveHands, a rewritten version of the DeathRansom ransomware.

Hackers deployed the malware as early as January this year along with Sombrat malware at multiple victims that were extorted. Researchers noted that in one of the ransomware intrusions, the same Warprism and Beacon malware samples previously attributed to UNC2447 were observed. Researchers are certain that the same hacking group used Ragnar Locker ransomware in the past.

“Based on technical and temporal observations of HelloKitty and FiveHands deployments, Mandiant suspects that HelloKitty may have been used by an overall affiliate program from May 2020 through December 2020, and FiveHands since approximately January 2021,” the researchers said.

Researchers said FiveHands is suspected to be affiliate ransomware and the successor to another variant of DeathRansom called HelloKitty. The HelloKitty ransomware has been used to hold games firm CD Projekt Red to ransom. They added that they observed a private FiveHands Tor chat earlier this month using a Hello Kitty favicon.

The new FiveHands malware improves on HelloKitty and DeathRansom by using a memory-only dropper and encryption on more files and folders. The malware can also "use the Windows Restart Manager to close a file currently in use so that it can be unlocked and successfully encrypted."

The exploit the ransomware uses is CVE-2021-20016, a critical SQL injection vulnerability that exploits unpatched SonicWall Secure Mobile Access SMA 100 series remote access products. Researchers said this flaw allows a remote, unauthenticated attacker to submit a specially crafted query to exploit the vulnerability.

“Successful exploitation would grant an attacker the ability to access login credentials (username, password) as well as session information that could then be used to log into a vulnerable unpatched SMA 100 series appliance,” said researchers

This vulnerability only impacted the SMA 100 series and was patched by SonicWall in February 2021.

The hackers make money from intrusions by extorting their victims first with FiveHands ransomware. That is “followed by aggressively applying pressure through threats of media attention and offering victim data for sale on hacker forums,” according to researchers.

"UNC2447 has been observed targeting organizations in Europe and North America and has consistently displayed advanced capabilities to evade detection and minimize post-intrusion forensics."

Researchers said while similarities between HelloKitty and FiveHands are notable, different groups may use ransomware through underground affiliate programs.

Featured Resources

B2B under quarantine

Key B2C e-commerce features B2B need to adopt to survive

Download now

The top three IT pains of the new reality and how to solve them

Driving more resiliency with unified operations and service management

Download now

The five essentials from your endpoint security partner

Empower your MSP business to operate efficiently

Download now

How fashion retailers are redesigning their digital future

Fashion retail guide

Download now

Recommended

How to use machine learning and AI in cyber security
Security

How to use machine learning and AI in cyber security

30 Jul 2021
Chipotle’s marketing email hacked to send phishing emails
phishing

Chipotle’s marketing email hacked to send phishing emails

29 Jul 2021
The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

29 Jul 2021
Colonial Pipeline hack spurred copycat attacks on other oil and gas companies
hacking

Colonial Pipeline hack spurred copycat attacks on other oil and gas companies

29 Jul 2021

Most Popular

The benefits of workload optimisation
Sponsored

The benefits of workload optimisation

16 Jul 2021
Samsung Galaxy S21 5G review: A rose-tinted experience
Mobile Phones

Samsung Galaxy S21 5G review: A rose-tinted experience

14 Jul 2021
RMIT to be first Australian university to implement AWS supercomputing facility
high-performance computing (HPC)

RMIT to be first Australian university to implement AWS supercomputing facility

28 Jul 2021