SonicWall Zero-Day Exploited by Ransomware Group Before It Was Patched

A zero-day vulnerability addressed by SonicWall in its Secure Mobile Access (SMA) appliances earlier this year was exploited by a sophisticated and aggressive cybercrime group before the vendor released a patch, FireEye’s Mandiant unit reported on Thursday.

Over the past half a year, a new cybercrime group has been observed using a broad range of malware and employing aggressive tactics to pressure ransomware victims into making payments.

Referred to as UNC2447, the threat actor is financially motivated and has shown advanced capabilities in attacks targeting organizations in Europe and North America, which allowed it to remain undetected. The group has tampered with security tools, firewall rules, and system security settings.

Since November 2020, FireEye reports, the cyber-group has been using malware families and ransomware such as Sombrat, FiveHands (a rewritten variant of the DeathRansom ransomware), the Warprism PowerShell dropper, the Cobalt Strike beacon, and FoxGrabber, but its activity also shows HelloKitty and RagnarLocker ransomware affiliation.

“When affiliate-based ransomware is observed by Mandiant, uncategorized clusters are assigned based on the infrastructure used, and in the case of UNC2447 were based on the Sombrat and Cobalt Strike Beacon infrastructure used across 5 intrusions between November 2020 and February 2021,” FireEye notes.

The group was seen abusing CVE-2021-20016, a critical SQL injection flaw in SonicWall Secure Mobile Access SMA 100 series products, which could allow remote, unauthenticated attackers to access login credentials and session information, to then log into vulnerable appliances.

The existence of the vulnerability came to light in late January, when SonicWall informed customers that its internal systems were targeted in an attack that may have exploited zero-day vulnerabilities in the company’s secure remote access products.

CVE-2021-20016 was patched by SonicWall in early February, but FireEye said UNC2447 had leveraged it in its attacks before the fix was released.

Shortly after SonicWall disclosed the breach, some anonymous individuals sent emails to SecurityWeek claiming the company was hit by ransomware and that the attackers had stolen source code and customer data, but none of those claims have been confirmed to date.

As for the malware used by UNC2447, the Sombrat backdoor has been observed in FiveHands ransomware intrusions, suggesting that both are employed by the same adversary. Sombrat was initially detailed in November 2020 as being employed by a potential espionage-for-hire criminal group.

Written in modern C++ and organized as a collection of interoperable plugins, Sombrat can fetch and execute the plugins from the command and control (C&C) server. The backdoor supports dozens of commands, the majority of which enable the threat actor to alter an encrypted storage file and reconfigure the implant.

Capable of evading endpoint detection, the Warprism PowerShell dropper was previously observed delivering Suncrypt, a Cobalt Strike payload, and Mimikatz, and loading payloads directly to memory. The Foxgrabber command line utility can harvest Firefox credentials and was previously seen in Darkside ransomware intrusions. The Cobalt Strike Beacon HTTPSSTAGER implant is employed for persistence, to ensure C&C communication.

Additionally, UNC2447 was observed using a variety of tools during the reconnaissance and exfiltration stages of intrusion, including Adfind, Bloodhound, Mimikatz, PChunter, RClone, RouterScan, S3Browser, Zap, and 7zip.

Written in C++, the FiveHands ransomware appears to be a rewritten variant of DeathRansom, due to numerous similarities, but also shows various similarities with the HelloKitty ransomware, including the fact that all three use the same code to delete volume shadow copies.

“Mandiant observed Sombrat and FiveHands ransomware by the same group since January 2021. While similarities between HelloKitty and FiveHands are notable, ransomware may be used by different groups through underground affiliate programs,” FireEye concludes.