Fraud Management & Cybercrime , Governance & Risk Management , Patch Management

Ransomware Gang Exploits SonicWall Zero-Day Flaw

FireEye: Attacks Happened Before Patch Issued for VPN Vulnerability
Ransomware Gang Exploits SonicWall Zero-Day Flaw

A cyberthreat gang that's been active since 2020 exploited a now-patched zero-day vulnerability in the SonicWall SMA 100 Series appliance to plant ransomware in attacks launched earlier this year, FireEye Mandiant researchers say.

See Also: Live Webinar | Software Security: Prescriptive vs. Descriptive

The group, which FireEye calls UNC2447, exploited the vulnerability, tracked as CVE-2021-20016, to install the Sombrat backdoor and then a new ransomware variant the researchers dubbed "Fivehands." The gang encrypted and exfiltrated data, demanding a ransom in return for a decryptor and for refraining from exposing or selling the data.

"UNC2447 has been observed targeting organizations in Europe and North America and has consistently displayed advanced capabilities to evade detection and minimize post-intrusion forensics," say FireEye researchers Tyler McLellan, Justin Moore and Raymond Leong.

FireEye observed the attack group using Fivehands and Sombrat in extortion incidents during January and February. The group has mainly targeted small and midsized businesses in the telecommunications, healthcare, construction, engineering, food and beverage, education, real estate and other sectors, researchers say.

The researchers suspect more than 100 victims may have been targeted by exploits of the unpatched CVE-2021-20016 vulnerability by various groups, FireEye says. The researchers say UNC2477 may be working with other affiliated groups that have exploited the SonicWall vulnerability but have not implanted ransomware.

The SonicWall Flaw

CVE-2021-20016 is an SQL injection vulnerability in SonicWall's SMA100 VPN that, if exploited, allows a remote unauthenticated attacker to perform a SQL query to access usernames, passwords and other session-related information. This vulnerability affects SMA100 build version 10.x, FireEye says.

"As a result of our collaboration with third-party analysts, SonicWall investigated, verified and patched the mentioned SMA 100 vulnerabilities in February 2021," SonicWall says. "This entire process, coupled with upgrade and mitigation guidance, was carefully and consistently communicated to our global partners and customers."

This flaw is unrelated to the three zero-day vulnerabilities in the hosted and on-premises versions of SonicWall's Email Security product that attackers began exploiting last month. The company has since patched those flaws (see: SonicWall Patches 3 Zero-Day Flaws).

UNC2477

FireEye first spotted the attack group it calls UNC2477 in November 2020. At that time, it was distributing the HelloKitty ransomware variant. FireEye believes it switched to Fivehands in January.

UNC2477 and other groups used HelloKitty ransomware and exploited CVE-2021-20016 to obtain information. So these groups may be collaborating, FireEye says.

Organizations that have patched the SonicWall VPN flaw "could still be at risk of future attacks using previously stolen credentials," FireEye's McLellan warns. "Organizations using SMA 100 series VPN products should consider enabling multifactor authentication or resetting all passwords."

Users of the VPN also should consider an organizationwide password reset, check logs for logins from suspicious IP addresses, such as Tor, and review network logs for the Beacon and Sombrat infrastructure, McLellan says.


About the Author

Doug Olenick

Doug Olenick

News Editor, ISMG

Olenick has covered the cybersecurity and computer technology sectors for more than 25 years. Prior to joining ISMG as news editor, Olenick was online editor for SC Media, where he covered every aspect of the cybersecurity industry and managed the brand's online presence. Earlier, he worked at TWICE - This Week in Consumer Electronics - for 15 years. He also has contributed to Forbes.com, TheStreet and Mainstreet.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.com, you agree to our use of cookies.