FiveHands Ransomware seen exploiting SonicWall Zero-Day
Written by Karolis Liucveikis on
A financially motivated threat actor has been seen exploiting a zero-day bug in SonicWall SMA 100 Series VPN appliances. This is done to gain initial access to enterprise networks so that the threat actors can deploy a newly discovered ransomware strain, known as FiveHands. So far victims include organizations located in Europe and North America. The ransomware itself has several similarities to both the HelloKitty and the DeathRansom ransomware strains. Researchers believe that FiveHands is best described as a novel rewrite of DeathRansom. That being said it does have several differences, more on both the similarities and the differences to come below.
The financially motivated group behind the attack is tracked by FireEye as UNC2447. In a recently published report detailing how UNC2447 exploited the SonicWall vulnerability, it was noted that the threat actor had been seen distributing the malware in January and February 2021. Summarizing the group's tactics, researchers noted,
“UNC2447 monetizes intrusions by extorting their victims first with FIVEHANDS ransomware followed by aggressively applying pressure through threats of media attention and offering victim data for sale on hacker forums. UNC2447 has been observed targeting organizations in Europe and North America and has consistently displayed advanced capabilities to evade detection and minimize post-intrusion forensics…Mandiant has observed evidence of UNC2447 affiliated actors previously using RAGNARLOCKER ransomware. Based on technical and temporal observations of HELLOKITTY and FIVEHANDS deployments, Mandiant suspects that HELLOKITTY may have been used by an overall affiliate program from May 2020 through December 2020, and FIVEHANDS since approximately January 2021.”
The vulnerability that is being exploited by the group is tracked as CVE--2021-20016 which is best described as a critical SQL injection vulnerability that exploits unpatched SonicWall Secure Mobile Access SMA 100 series remote access products.
If properly exploited an attacker can remotely bypass authentication and submit a specially crafted query. The query could then grant the attacker the ability to access login credentials, session information that could then be used to log into a vulnerable and unpatched SMA 100 series appliances. It is important to note that the flaw only impacts SMA 100 Series VPN appliances and that the flaw was patched by SonicWall in February 2021. It is advised that users of the above-mentioned VPN appliance ensure that the patch is installed.
It was not just FiveHands that would be delivered as a malicious payload, but UNC2447 would also drop Sombrat which was seen previously been used in the CostaRico campaign where cyber-espionage was carried out by a third-party on behalf of a threat actor. Sombrat acts as a remote access trojan which is used by threat actors to communicate with command-and-control servers used during attacks. The malware can communicate with command-and-control servers over several protocols, including DNS, TLS-encrypted TCP, and potentially WebSockets.
Further, many of the commands seen used by the malware enable the operator to manipulate an encrypted storage file then reconfigure the implant. The backdoor's primary purpose is to download and execute plugins provided via the command-and-control server. In the latest version of Sombrat used in the FiveHands attacks, FireEye observed additional obfuscation and armoring to evade detection. This led researchers to conclude that the Sombrat variant has been hardened to discourage analysis. Program metadata typically included by the compiler has been stripped and strings have been inlined and encoded via XOR-based routines.
It was in October 2020, that FireEye researchers discovered a customized version of DeathRansom. The customized version removed the language check feature. This would prompt more in-depth analysis to be conducted. More similarities between the new customized version and DeathRansom and another ransomware reportedly based on DeathRansom, HelloKitty were found. HelloKitty is perhaps best known for being the ransomware used to attack Polish game developers CD ProkejtRed, who had recently released Cyberpunk 2077 at the time.
One of the biggest similarities between the three is how they all delete shadow copies. All three use the same code via WMI by performing the query select * from Win32_ShadowCopy and then deleting each instance returned by its id. All three also have similar encryption routines, using both an asymmetric public key that is either generated or hardcoded, and a symmetric key generated for each encrypted file. FireEye researchers provided a summary of each strain, stating:
- DeathRansom: “is written in C while the other two families are written in C++. DEATHRANSOM uses a distinct series of do/while loops to enumerate through network resources, logical drives, and directories. It also uses QueueUserWorkItem to implement thread pooling for its file encryption threads.”
- HelloKitty: “is written in C++, but reimplements a significant portion of DEATHRANSOM's functionality using similar loop operations and thread pooling via QueueUserWorkItem. The code structure to enumerate network resources, logical drives, and perform file encryption is very similar. Additionally, HELLOKITTY and DEATHRANSOM share very similar functions to check for the completion status of their encryption threads before exiting.”
- FiveHands: “is written in C++ and although high level functionality is similar, the function calls and code structure to implement the majority of the functionality is written differently. Also, instead of executing threads using QueueUserWorkItem, FIVEHANDS uses IoCompletionPorts to more efficiently manage its encryption threads. FIVEHANDS also uses more functionality from the C++ standard template library (STL) than does HELLOKITTY.”
One of the significant changes to FiveHands is that it makes use of an encrypted dropper that is run from memory. Once the dropper receives the correct key it will drop the malicious encryption payload onto the victim’s machine. The payload is stored and encrypted with AES-128. The decrypted FiveHands payload is immediately executed after decryption. According to FireEye, the security firm has only observed encrypted droppers with a common imphash of 8517cf209c905e801241690648f36a97. For more differences, it is recommended that those interested read FireEye’s analysis which goes into far greater detail than this article can. FireEye researchers concluded,
“Mandiant observed SOMBRAT and FIVEHANDS ransomware by the same group since January 2021. While similarities between HELLOKITTY and FIVEHANDS are notable, ransomware may be used by different groups through underground affiliate programs. Mandiant will assign an uncategorized cluster based on multiple factors including infrastructure used during intrusions and as such, not all SOMBRAT or FIVEHANDS ransomware intrusions may have been conducted by UNC2447. WARPRISM and FOXGRABBER have been used in SUNCRYPT and DARKSIDE ransomware demonstrating additional complexity and sharing between different ransomware affiliate programs.”
Whistler Ransomware Incident
The popular resort in Canada, Whistler, appears to have suffered a ransomware incident. According to Bleeping Computer, the popular winter sports retreat suffered an attack forcing the municipality to halt several online services and in-person meetings. The Municipality stated,
“April 28, 2021: Whistler, B.C. – The Resort Municipality of Whistler (RMOW) has temporarily suspended all online and some in-person services as a precautionary measure due to a cybersecurity incident… This means RMOW email, phones, network services, and website are currently unavailable. In-person service at the municipal hall has also been temporarily suspended. We apologize for this inconvenience and will provide an update when we are able to return those services," the Whistler.ca website previously announced,”
It is believed that the attack was carried out by a new ransomware operation. In Bleeping Computers coverage of the FiveHands discovery, it was noted that the Tor website discovered by FireEye and the one used in the Whistler attack is similar. This has prompted some to believe that they are related or perhaps even carried out by the same threat actor. As of yet, it is too early to link the two incidents until more evidence comes to light. If they are linked, stranger things occur within InfoSec. FiveHands has been seen to target North American organizations so if the incident is linked to UNC2447, which FireEye believes strongly is behind FiveHands, very few people will be surprised.
▼ Show Discussion