Security News > 2021 > May > Hackers Exploit SonicWall Zero-Day Bug in FiveHands Ransomware Attacks
![Hackers Exploit SonicWall Zero-Day Bug in FiveHands Ransomware Attacks](/static/build/img/news/hackers-exploit-sonicwall-zero-day-bug-in-fivehands-ransomware-attacks.jpg)
An "Aggressive" financially motivated threat group tapped into a zero-day flaw in SonicWall VPN appliances prior to it being patched by the company to deploy a new strain of ransomware called FIVEHANDS. The group, tracked by cybersecurity firm Mandiant as UNC2447, took advantage of an "Improper SQL command neutralization" flaw in the SSL-VPN SMA100 product that allows an unauthenticated attacker to achieve remote code execution.
"UNC2447 monetizes intrusions by extorting their victims first with FIVEHANDS ransomware followed by aggressively applying pressure through threats of media attention and offering victim data for sale on hacker forums," Mandiant researchers said.
According to the FireEye-owned subsidiary, the intrusions are said to have occurred in January and February 2021, with the threat actor using a malware called SombRAT to deploy the FIVEHANDS ransomware.
UNC2447 attacks involving ransomware infections were first observed in the wild in October 2020, initially compromising targets with HelloKitty ransomware, before swapping it for FIVEHANDS in January 2021.
Incidentally, both the ransomware strains, written in C++, are rewrites of another ransomware called DeathRansom.
"Based on technical and temporal observations of HelloKitty and FIVEHANDS deployments, HelloKitty may have been used by an overall affiliate program from May 2020 through December 2020, and FIVEHANDS since approximately January 2021," the researchers said.
News URL
Related news
- REvil hacker behind Kaseya ransomware attack gets 13 years in prison (source)
- Ransomware Attacks Exploit VMware ESXi Vulnerabilities in Alarming Pattern (source)
- Black Basta ransomware gang linked to Windows zero-day attacks (source)
- City of Wichita shuts down IT network after ransomware attack (source)
- Russian Hacker Dmitry Khoroshev Unmasked as LockBit Ransomware Administrator (source)
- Hackers exploit LiteSpeed Cache flaw to create WordPress admins (source)
- Ransomware attacks impact 20% of sensitive data in healthcare orgs (source)
- Google fixes fifth Chrome zero-day exploited in attacks this year (source)
- Google fixes Chrome zero-day with in-the-wild exploit (CVE-2024-4671) (source)
- Ohio Lottery ransomware attack impacts over 538,000 individuals (source)