FireEye: Attacks Happened Before Patch Issued for VPN Vulnerability
A cyberthreat gang that’s been active since 2020 exploited a now-patched zero-day vulnerability in the SonicWall SMA 100 Series appliance to plant ransomware in attacks launched earlier this year, FireEye Mandiant researchers say.
The group, which FireEye calls UNC2447, exploited the vulnerability, tracked as CVE-2021-20016, to install the Sombrat backdoor and then a new ransomware variant the researchers dubbed “Fivehands.” The gang encrypted and exfiltrated data, demanding a ransom in return for a decryptor and for refraining from exposing or selling the data.
“UNC2447 has been observed targeting organizations in Europe and North America and has consistently displayed advanced capabilities to evade detection and minimize post-intrusion forensics,” say FireEye researchers Tyler McLellan, Justin Moore and Raymond Leong.
FireEye observed the attack group using Fivehands and Sombrat in extortion incidents during January and February. The group has mainly targeted small and midsized businesses in the telecommunications, healthcare, construction, engineering, food and beverage, education, real estate and other sectors, researchers say.
The researchers suspect more than 100 victims may have been targeted by exploits of the unpatched CVE-2021-20016 vulnerability by various groups, FireEye says. The researchers say UNC2477 may be working with other affiliated groups that have exploited the SonicWall vulnerability but have not implanted ransomware.
The SonicWall Flaw
CVE-2021-20016 is an SQL injection vulnerability in SonicWall’s SMA100 VPN that, if exploited, allows a remote unauthenticated attacker to perform a SQL query to access usernames, passwords and other session-related information. This vulnerability affects SMA100 build version 10.x, FireEye says.
“As a result of our collaboration with third-party analysts, SonicWall investigated, verified and patched the mentioned SMA 100 vulnerabilities in February 2021,” SonicWall says. “This entire process, coupled with upgrade and mitigation guidance, was carefully and consistently communicated to our global partners and customers.”
This flaw is unrelated to the three zero-day vulnerabilities in the hosted and on-premises versions of SonicWall’s Email Security product that attackers began exploiting last month. The company has since patched those flaws (see: SonicWall Patches 3 Zero-Day Flaws).
FireEye first spotted the attack group it calls UNC2477 in November 2020. At that time, it was distributing the HelloKitty ransomware variant. FireEye believes it switched to Fivehands in January.
UNC2477 and other groups used HelloKitty ransomware and exploited CVE-2021-20016 to obtain information. So these groups may be collaborating, FireEye says.
Organizations that have patched the SonicWall VPN flaw “could still be at risk of future attacks using previously stolen credentials,” FireEye’s McLellan warns. “Organizations using SMA 100 series VPN products should consider enabling multifactor authentication or resetting all passwords.”
Users of the VPN also should consider an organizationwide password reset, check logs for logins from suspicious IP addresses, such as Tor, and review network logs for the Beacon and Sombrat infrastructure, McLellan says.