UNC2447 cybercrime gang exploited SonicWall Zero-Day before it was fixed

Pierluigi Paganini April 30, 2021

UNC2447 cybercrime gang exploited a zero-day in the Secure Mobile Access (SMA), addressed by SonicWall earlier this year, before the vendor released a fix.

Researchers from FireEye’s Mandiant revealed that a sophisticated cybercrime gang tracked as UNC2447 has exploited a zero-day issue (CVE-2021-20016) in SonicWall Secure Mobile Access (SMA) devices, fixed earlier this year, before the vendor addressed it.

The UNC2447 gang targeted organizations in Europe and North America using a broad range of malware over the past months.

“Mandiant has observed an aggressive financially motivated group, UNC2447, exploiting one SonicWall VPN zero-day vulnerability prior to a patch being available and deploying sophisticated malware previously reported by other vendors as SOMBRAT. Mandiant has linked the use of SOMBRAT to the deployment of ransomware, which has not been previously reported publicly.” reads the analysis published by FireEye.

The malware employed by the group since November 2020, includes Sombrat, FiveHands, the Warprism PowerShell dropper, the Cobalt Strike beacon, and FoxGrabber. UNC2447 extortion activity employed the FIVEHANDS ransomware, the threat actors aggressively threatened victims to disclose their hack on the media to sell the data on hacker forums. 

Researchers linked the Sombrat malware to ransomware that was not previously publicly reported. In most recent attacks the group also used HelloKitty and RagnarLocker ransomware.

“In January and February 2021, Mandiant Consulting observed a novel rewrite of DEATHRANSOM—dubbed FIVEHANDS—along with SOMBRAT at multiple victims that were extorted. During one of the ransomware intrusions, the same WARPRISM and BEACON samples previously clustered under UNC2447 were observed. Mandiant was able to forensically link the use of WARPRISM, BEACON, SOMBRAT and FIVEHANDS to the same actor.” continues the report.

“Mandiant suspects that HELLOKITTY activity in late-2020 may be related to the overall affiliate program and that usage shifted to FIVEHANDS ransomware beginning in January 2021.”

The level of sophistication of its operations allowed the financially motivated group to fly under the radar for months.

The group was spotted exploiting the CVE-2021-20016 zero-day, before it was addressed by the vendor.

The critical CVE-2021-20016 flaw could be exploited by a remote, unauthenticated attacker for credential access on SMA100 build version 10.x, it results in improper SQL command neutralization in the SonicWall SSLVPN SMA100 product.

FireEye experts pointed out that the flaw was publicly disclosed after the SonicWall hack that took place in January, and a first patch was released by the vendor in February. The researchers revealed that UNC2447 was exploiting the issue before a security patch was released.

FireEye experts provided a technical analysis of the Sombrat backdoor used by the group in its attack. Sombrat is written in modern C++ implements a modular structure through a set of plugins that are downloaded from the C2. The backdoor supports dozens of commands, most of them allows the threat actors to manipulate an encrypted storage file and reconfigure the implant.

The list of tools in the UNC2447’s arsenal used for reconnaissance and data exfiltration includes Adfind, Bloodhound, Mimikatz, PChunter, RClone, RouterScan, S3Browser, Zap, and 7zip.

“Mandiant observed SOMBRAT and FIVEHANDS ransomware by the same group since January 2021. While similarities between HELLOKITTY and FIVEHANDS are notable, ransomware may be used by different groups through underground affiliate programs.” concludes the report. “Mandiant will assign an uncategorized cluster based on multiple factors including infrastructure used during intrusions and as such, not all SOMBRAT or FIVEHANDS ransomware intrusions may have been conducted by UNC2447. WARPRISM and FOXGRABBER have been used in SUNCRYPT and DARKSIDE ransomware demonstrating additional complexity and sharing between different ransomware affiliate programs.”

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, UNC2447)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment