An "aggressive" financially motivated threat group tapped into a zero-day flaw in SonicWall VPN appliances prior to it being patched by the company to deploy a new strain of ransomware called FIVEHANDS.

The group, tracked by cybersecurity firm Mandiant as UNC2447, took advantage of an "improper SQL command neutralization" flaw in the SSL-VPN SMA100 product (CVE-2021-20016, CVSS score 9.8) that allows an unauthenticated attacker to achieve remote code execution.

"UNC2447 monetizes intrusions by extorting their victims first with FIVEHANDS ransomware followed by aggressively applying pressure through threats of media attention and offering victim data for sale on hacker forums," Mandiant researchers said. "UNC2447 has been observed targeting organizations in Europe and North America and has consistently displayed advanced capabilities to evade detection and minimize post-intrusion forensics."


CVE-2021-20016 is the same zero-day that the San Jose-based firm said was exploited by "sophisticated threat actors" to stage a "coordinated attack on its internal systems" earlier this year. On January 22, The Hacker News exclusively revealed that SonicWall had been breached by exploiting "probable zero-day vulnerabilities" in its SMA 100 series remote access devices.

Successful exploitation of the flaw would grant an attacker the ability to access login credentials as well as session information that could then be used to log into a vulnerable unpatched SMA 100 series appliance.

According to the FireEye-owned subsidiary, the intrusions are said to have occurred in January and February 2021, with the threat actor using a malware called SombRAT to deploy the FIVEHANDS ransomware. It's worth noting that SombRAT was discovered in November 2020 by BlackBerry researchers in conjunction with a campaign called CostaRicto undertaken by a mercenary hacker group.


UNC2447 attacks involving ransomware infections were first observed in the wild in October 2020, initially compromising targets with HelloKitty ransomware, before swapping it for FIVEHANDS in January 2021. Incidentally, both the ransomware strains, written in C++, are rewrites of another ransomware called DeathRansom.

"Based on technical and temporal observations of HelloKitty and FIVEHANDS deployments, HelloKitty may have been used by an overall affiliate program from May 2020 through December 2020, and FIVEHANDS since approximately January 2021," the researchers said.

FIVEHANDS also differs from DeathRansom and HelloKitty in the use of a memory-only dropper and additional features that allow it to accept command-line arguments and utilize Windows Restart Manager to close a file currently in use prior to encryption.

The disclosure comes less than two weeks after FireEye divulged three previously unknown vulnerabilities in SonicWall's email security software that were actively exploited to deploy a web shell for backdoor access to the victim. FireEye is tracking this malicious activity under the moniker UNC2682.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.