Identity, Malware, Ransomware, Distributed Workforce

Ransomware group targeted SonicWall vulnerability pre-patch

SonicWall noted that the exploitation targets a known vulnerability that has been patched in newer versions of firmware.  (SonicWall)

A ransomware group caught targeting a recently patched SonicWall vulnerability leveraged that vulnerability before the patch became available, Mandiant reported Thursday.

The vulnerability, a SQL injection bug in SonicWall's SMA-100 series of remote access products, was already used in a headline-grabbing attack. Hackers used the vulnerability as a zero-day to breach SonicWall itself prior to the patch announcement in January. The latest findings show that another group also sought to take advantage.

Mandiant first observed the ransomware group, which Mandiant has dubbed UNC2447, targeting SonicWall SMA-100 customers organizations in the U.S. and Europe. The group uses a combination of SombRAT and a previously uncatalogued variant of the DeathRansom ransomware that Mandiant calls FIVEHANDS.

Mandiant researchers saw the group deploy the FIVEHANDS malware in January; but the group is older, and forensically tied to hacks using newly disclosed dropper WARPRISM and Colbalt Strike Beacon. Mandiant also believes UNC2447 has used Ragnor Locker ransomware in the past.

FIVEHANDS appears to be affiliate ransomware, wrote Mandiant, the successor to another rewrite of DeathRansom known as HelloKitty. The HelloKitty ransomware was most famously used to hold up games designer CD Projekt Red. FIVEHANDS improves on its predecessors by using a new, memory-only dropper and applying encryption to a wider array of file types.

Since the ransomware is being used in affiliate programs, other groups may be using it as well.

SombRAT was first identified by Blackberry Cylance in the CostaRicto campagn the vendor believed may (or may not) be espionage for hire.

The SonicWall vulnerability affected the 10.x firmware up until the January 23 update to 10.2.

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.