New FiveHands Ransomware Deploy Into SonicWall Internal System

Earlier this year, money-oriented cybercriminals leveraged a zero-day vulnerability that has been introduced by SonicWall in its Secure Mobile Access (SMA) 100 Series VPN appliances to install advanced ransomware studied as FiveHands, victims are reported to be North American and European networks. 

The operation was traced by FireEye’s Mandiant cyber analysts as “UNC2447’’. Analysts unit has informed that the group took advantage of the CVE-2021-20016 SonicWall bug to breach networks and further install FiveHands ransomware payloads before the vendor released patches in late February 2021. Further, the report also reads that the threat actor poses advanced skills in exploiting networks. 

Additionally, over the past half a year, a brand new cyber hacker group has been noticed to be exploiting a wide range of malware and creating pressure on ransomware victims into making payments. 

Previously in similar contexts, FireEye reported that the cyber attackers have been deploying ransomware families and malware such as FiveHands (a variant of the DeathRansom ransomware), Sombrat, the Cobalt Strike beacon, the Warprism PowerShell dropper, and FoxGrabber, additionally the new ransomware’s actions also demonstrated signs of RagnarLocker and HelloKitty ransomware affiliation. 

“When affiliate-based ransomware is observed by Mandiant, uncategorized clusters are assigned based on the infrastructure used, and in the case of UNC2447 were based on the Sombrat and Cobalt Strike Beacon infrastructure used across 5 intrusions between November 2020 and February 2021,” FireEye reported. 

The group deployed a critical SQL injection flaw in SonicWall SMA100 series devices, which will give remote access to attackers and further, access to login credentials, session information, and other vulnerable appliances. 

The existence of the vulnerability was first observed in January 2021, when SonicWall warned its customers that the company’s internal system has been attacked in a cyber operation that may have targeted zero-day vulnerabilities in the company’s secure remote access devices. CVE-2021-20016 was patched in February 2021 by SonicWall, however, FireEye reported that UNC2447 had exploited it before the patch was released. 

“UNC2447 monetizes intrusions by extorting their victims first with FIVEHANDS ransomware followed by aggressively applying pressure through threats of media attention and offering victim data for sale on hacker forums,” Mandiant further added in a report published today.