Ransomware group targeted SonicWall vulnerability pre-patch
A ransomware group that targeted a recently patched SonicWall vulnerability exploited this vulnerability before the patch was released, Mandiant reported on Thursday.
The vulnerability, an SQL injection bug in SonicWall’s SMA-100 remote access product series, was previously used in an attack that made headlines. Hackers used the vulnerability as a zero day to violate SonicWall himself before the patch was announced in January. The latest findings show that another group has also sought to take advantage of it.
Mandiant first observed the ransomware cluster, which Mandiant dubbed UNC2447, targeting SonicWall SMA-100 client organizations in the United States and Europe. The group uses a combination of SombRAT and a previously uncatalogued variant of the DeathRansom ransomware that Mandiant calls FIVEHANDS.
Mandiant researchers saw the group deploy the FIVEHANDS malware in January; but the group is older and legally linked to hacks using the new WARPRISM dropper and Colbalt Strike Beacon. Mandiant also believes that UNC2447 has used Ragnor Locker ransomware in the past.
FIVEHANDS appears to be affiliated ransomware, wrote Mandiant, the successor to another DeathRansom rewrite known as HelloKitty. The HelloKitty ransomware was the most famous used to hold CD Projekt Red game designer. FIVEHANDS improves upon its predecessors by using a new memory-only dropper and applying encryption to a wider range of file types.
Since the ransomware is used in affiliate programs, other groups can use it as well.
SombRAT was first identified by Blackberry Cylance in the CostaRicto campaign, the vendor believed it may (or may not) be paid espionage.
The SonicWall vulnerability affected firmware 10.x through the January 23 update to 10.2.