Tyler McLellan, principal threat analyst for advanced practices at Mandiant says the company is unsure about how many SonicWall VPN devices remain unpatched against CVE-2021-20016, a critical SQL injection vulnerability in SonicWall s Secure Mobile Access SMA 100 series remote access products. SonicWall issued a patch for the flaw, which is the one that UNC2447 is targeting, in February 2021. While we don’t have numbers on unpatched devices, Mandiant is aware that UNC2447-related threat actors are still in possession of credentials stolen from over 100 VPN appliances, McLellan says. These affected organizations will remain at risk of ransomware attack even if patched, unless they enable multifactor authentication or reset all passwords.
Share
Researchers observed a new ransomware variant, called FiveHands, being deployed by an “aggressive” financially motivated threat group in January and February.
According to a FireEye Mandiant report, the UNC2447 group exploited a critical SonicWall vulnerability (CVE-2021-20016) prior to a patch being available. The group leveraged this exploit as a foothold in order to deploy the previously-discovered SombRAT malware, as well as FiveHands.
“UNC2447 monetizes intrusions by extorting their victims first with FiveHands ransomware followed by aggressively applying pressure through threats of media attention and offering victim data for sale on hacker forums,” said researchers with FireEye Mandiant.
UNC2447 (“UNC” being FireEye’s designation for unclassified threat groups) was first discovered by researchers in November, when they observed the group using a PowerShell dropper in an attempt to install malware at two unnamed companies. In January, the UNC2447 group
SonicWall Patches 3 Zero-Day Flaws
Compliance Twitter
SonicWall s headquarters in Milpitas, California (Photo: Arc Tec Inc.)
SonicWall has patched three zero-day vulnerabilities in the hosted and on-premises versions of its Email Security product after attackers began exploiting them last month.
FireEye Mandiant, which uncovered the flaws, says it has seen attackers using the three vulnerabilities to place web shells, or remote access scripts, on systems. That access can then be used to access an organization s email, FireEye says in a blog post. The attackers can also use access to pivot further into victims systems, often referred to as lateral movement, the security firm adds.
By Eduard Kovacs on April 21, 2021
SonicWall’s Email Security product is affected by three vulnerabilities that have been exploited in attacks. It took the vendor roughly two weeks to start releasing patches, but a public warning about active exploitation came only 25 days after it learned about the attacks.
FireEye, whose incident response unit Mandiant spotted the vulnerabilities and their active exploitation in March, warned on Tuesday that a threat actor had been observed exploiting the SonicWall Email Security flaws to install backdoors, access emails and files, and move laterally in the victim’s network.
For the time being, FireEye hasn’t been able to definitively link the attackers to any previously known group so it’s tracking the threat actor as UNC2682 UNC stands for “uncategorized.” The company did note that the hackers appeared to have “intimate knowledge” of how the SonicWall product works.