An “aggressive” financially motivated threat group tapped into a zero-day flaw in SonicWall VPN appliances prior to it being patched by the company to deploy a new strain of ransomware called FIVEHANDS.
The group, tracked by cybersecurity firm Mandiant as UNC2447, took advantage of an “improper SQL command neutralization” flaw in the SSL-VPN SMA100 product (CVE-2021-20016, CVSS score 9.8) that allows an unauthenticated attacker to achieve remote code execution.
“UNC2447 monetizes intrusions by extorting their victims first with FIVEHANDS ransomware followed by aggressively applying pressure through threats of media attention and offering victim data for sale on hacker forums,” Mandiant researchers said. “UNC2447 has been observed targeting organizations in Europe and North America and has consistently displayed advanced capabilities to evade detection and minimize post-intrusion forensics.”
CVE-2021-20016 is the same zero-day that the San Jose-based firm said was exploited by “sophisticated threat actors” to stage a “coordinated attack on its internal systems” earlier this year. On January 22, The Hacker News exclusively revealed that SonicWall had been breached by exploiting…