A hacking team with financial incentives exploited a zero-day vulnerability in the devices SMA 100 Series VPN of SonicWall, aiming to develop a new ransomware known as FiveHands in target networks based in North America and Europe.
The hacking group, which its threat analysts Mandiant they named “UNC2447”, took advantage of vulnerability CVE-2021-20016 to break networks and deploy FiveHands ransomware payloads before releasing patches to end of February.
Before developing ransomware payloads, UNC2447 was also observed to use Cobalt Strike implants to gain perseverance and install one variant of the SombRAT backdoor, malware first detected in the CostaRicto campaign coordinated by a group of mercenary hackers.
The zero-day vulnerability was also exploited in attacks targeting SonicWall's internal systems in January.
The "FiveHands" ransomware being developed in UNC2447 attacks was first observed in the threat landscape in October of 2020. It has several similarities with ransomware “HelloKitty”. The first was used to encrypt its systems CD Project Red, the video game development studio, with the attackers later claiming to have stolen the source code for Cyberpunk 2077, Witcher 3, Gwent and an unreleased version of Witcher 3.
This ransomware company has targeted other major companies worldwide, including the Brazilian electricity company "CEMIG" (Minas Gerais Energy Company).
Mandiant noticed that HelloKitty activity slowed down starting in January 2021 when the use of FiveHands in attacks began to increase. In addition, the company estimates that HelloKitty may have been used from May 2020 to December 2020 and FiveHands from about January 2021.
Mandiant has linked the two ransomware not only because of its shared usability, functionality and coding similarities, but also because it spotted a FiveHands ransomware Tor chat earlier this month using HelloKitty favicon.
In report posted on 29 April, Mandiant reported that UNC2447 was making profits from intrusions by blackmailing its victims first with the FiveHands ransomware, and then threatening to make the victims' data available for sale in hacking forums. He also noted that the hacking team has been observed targeting organizations in Europe and North America and has shown that it has advanced capabilities to avoid detection.
In addition, UNC2447 partners have also been observed to be active with Ragnar Locker ransomware in previous attacks.
In March, Mandiant analysts have discovered three more zero-day vulnerabilities in SonicWall products.
These vulnerabilities were exploited by another hacking group - the “UNC2682” For the purpose of installation backdoor in systems with the use of Behinder web shells, but also moving sideways to victims' networks and gaining access to emails and files.
Source of information: bleepingcomputer.com