Now on Demand Ransomware Resilience & Recovery Summit - All Sessions Available
Connect with us

Hi, what are you looking for?


Malware & Threats

SonicWall Zero-Day Exploited by Ransomware Group Before It Was Patched

A zero-day vulnerability addressed by SonicWall in its Secure Mobile Access (SMA) appliances earlier this year was exploited by a sophisticated and aggressive cybercrime group before the vendor released a patch, FireEye’s Mandiant unit reported on Thursday.

A zero-day vulnerability addressed by SonicWall in its Secure Mobile Access (SMA) appliances earlier this year was exploited by a sophisticated and aggressive cybercrime group before the vendor released a patch, FireEye’s Mandiant unit reported on Thursday.

Over the past half a year, a new cybercrime group has been observed using a broad range of malware and employing aggressive tactics to pressure ransomware victims into making payments.

Referred to as UNC2447, the threat actor is financially motivated and has shown advanced capabilities in attacks targeting organizations in Europe and North America, which allowed it to remain undetected. The group has tampered with security tools, firewall rules, and system security settings.

Since November 2020, FireEye reports, the cyber-group has been using malware families and ransomware such as Sombrat, FiveHands (a rewritten variant of the DeathRansom ransomware), the Warprism PowerShell dropper, the Cobalt Strike beacon, and FoxGrabber, but its activity also shows HelloKitty and RagnarLocker ransomware affiliation.

“When affiliate-based ransomware is observed by Mandiant, uncategorized clusters are assigned based on the infrastructure used, and in the case of UNC2447 were based on the Sombrat and Cobalt Strike Beacon infrastructure used across 5 intrusions between November 2020 and February 2021,” FireEye notes.

The group was seen abusing CVE-2021-20016, a critical SQL injection flaw in SonicWall Secure Mobile Access SMA 100 series products, which could allow remote, unauthenticated attackers to access login credentials and session information, to then log into vulnerable appliances.

The existence of the vulnerability came to light in late January, when SonicWall informed customers that its internal systems were targeted in an attack that may have exploited zero-day vulnerabilities in the company’s secure remote access products.

CVE-2021-20016 was patched by SonicWall in early February, but FireEye said UNC2447 had leveraged it in its attacks before the fix was released.

Advertisement. Scroll to continue reading.

Shortly after SonicWall disclosed the breach, some anonymous individuals sent emails to SecurityWeek claiming the company was hit by ransomware and that the attackers had stolen source code and customer data, but none of those claims have been confirmed to date.

As for the malware used by UNC2447, the Sombrat backdoor has been observed in FiveHands ransomware intrusions, suggesting that both are employed by the same adversary. Sombrat was initially detailed in November 2020 as being employed by a potential espionage-for-hire criminal group.

Written in modern C++ and organized as a collection of interoperable plugins, Sombrat can fetch and execute the plugins from the command and control (C&C) server. The backdoor supports dozens of commands, the majority of which enable the threat actor to alter an encrypted storage file and reconfigure the implant.

Capable of evading endpoint detection, the Warprism PowerShell dropper was previously observed delivering Suncrypt, a Cobalt Strike payload, and Mimikatz, and loading payloads directly to memory. The Foxgrabber command line utility can harvest Firefox credentials and was previously seen in Darkside ransomware intrusions. The Cobalt Strike Beacon HTTPSSTAGER implant is employed for persistence, to ensure C&C communication.

Additionally, UNC2447 was observed using a variety of tools during the reconnaissance and exfiltration stages of intrusion, including Adfind, Bloodhound, Mimikatz, PChunter, RClone, RouterScan, S3Browser, Zap, and 7zip.

Written in C++, the FiveHands ransomware appears to be a rewritten variant of DeathRansom, due to numerous similarities, but also shows various similarities with the HelloKitty ransomware, including the fact that all three use the same code to delete volume shadow copies.

“Mandiant observed Sombrat and FiveHands ransomware by the same group since January 2021. While similarities between HelloKitty and FiveHands are notable, ransomware may be used by different groups through underground affiliate programs,” FireEye concludes.

Related: Files on QNAP NAS Devices Encrypted in Qlocker Ransomware Attacks

Related: Cring Ransomware Targets Industrial Organizations

Related: More Ransomware Gangs Targeting Vulnerable Exchange Servers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

MSSP Dataprise has appointed Nima Khamooshi as Vice President of Cybersecurity.

Backup and recovery firm Keepit has hired Kim Larsen as CISO.

Professional services company Slalom has appointed Christopher Burger as its first CISO.

More People On The Move

Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.