New ransomware group uses SonicWall zero-day to breach networks

A financially motivated risk actor exploited a zero-day bug in Sonicwall SMA 100 Sequence VPN home equipment to deploy new ransomware often called FiveHands on the networks of North American and European targets.

The group, tracked by Mandiant risk analysts as UNC2447, exploited the CVE-2021-20016 Sonicwall vulnerability to breach networks and deploy FiveHands ransomware payloads earlier than patches had been launched in late February 2021.

Previous to deploying the ransomware payloads, UNC2447 was additionally noticed utilizing Cobalt Strike implants for gaining persistence and putting in a SombRAT backdoor variant, a malware first noticed within the CostaRicto campaign coordinated by a bunch of mercenary hackers.

The zero-day was additionally exploited in assaults targeting SonicWall's internal systems in January and later abused indiscriminately in the wild.

Undercover HelloKitty

The FiveHands ransomware deployed in UNC2447 assaults was first noticed within the wild throughout October 2020.

It is usually similar to HelloKitty ransomware, each of them rewrites of DeathRansom ransomware.

The previous was used to encrypt the techniques of online game growth studio CD Projekt Crimson [1, 2], with the attackers later claiming to have stolen the source code for Cyberpunk 2077, Witcher 3, Gwent, and an unreleased model of Witcher 3.

This ransomware operation has additionally focused different giant corporations worldwide, together with Brazilian power company CEMIG (Companhia Energética de Minas Gerais).

As found by Mandiant, HelloKitty exercise had slowly dwindled beginning with January 2021 when FiveHands utilization in assaults started to choose up.

"Based mostly on technical and temporal observations of HELLOKITTY and FIVEHANDS deployments, Mandiant suspects that HELLOKITTY might have been utilized by an total associates program from Could 2020 by means of December 2020, and FIVEHANDS since roughly January 2021," the researchers mentioned.

In addition to their sharing function, performance, and coding similarities, the 2 malware strains had been additionally linked by Mandiant earlier this month after observing a FiveHands ransomware Tor chat utilizing a HelloKitty favicon.

FiveHands ransomware Tor chat
FiveHands ransomware Tor chat (Mandiant)

BleepingComputer reported earlier immediately on Whistler resort municipality being hit by a brand new ransomware operation utilizing a really related Tor web site, however it's not clear if there are any hyperlinks to the FiveHands ransomware operation.

FiveHands additionally has further performance since, not like HelloKitty and DeathRansom, it may well additionally "use the Home windows Restart Supervisor to shut a file at present in use in order that it may be unlocked and efficiently encrypted."

It additional differs by utilizing completely different embedded encryption libraries, a memory-only dropper, and asynchronous I/O requests, not current within the two different ransomware strains in its household.

Feature comparison
Picture: Mandiant

Ragnar Locker ransomware additionally deployed by UNC2447 associates

"UNC2447 monetizes intrusions by extorting their victims first with FIVEHANDS ransomware adopted by aggressively making use of strain by means of threats of media consideration and providing sufferer information on the market on hacker boards," Mandiant added in a report published today.

"UNC2447 has been noticed concentrating on organizations in Europe and North America and has constantly displayed superior capabilities to evade detection and decrease post-intrusion forensics."

Mandiant says that UNC2447 associates have additionally been noticed deploying Ragnar Locker ransomware exercise in earlier assaults.

In March, Mandiant analysts found three more zero-day vulnerabilities in SonicWall’s on-premises and hosted E-mail Safety (ES) merchandise.

These zero-days had been additionally actively exploited by one other group tracked as UNC2682 to backdoor techniques utilizing BEHINDER net shells to maneuver laterally by means of the victims' networks and achieve entry to emails and information.

Source link