2021 Ransomware Quarterly Index Update is here!

FiveHands Ransomware Analysis: Can a Risk-Based Approach Help Prevent Future Attacks?

Posted on 4th Jun, 2021 | By Priya Ravindran

Did you know FiveHands Ransomware is using the same tactics as the DarkSide group?


Early this year, threat actors exploited a vulnerability (CVE-2021-20016) even before the vendor could publish it on the National Vulnerability Database (NVD) and attacked an organization and stole information. A new ransomware family, FiveHands, played a major role in the exploit.

With attackers rapidly weaponizing vulnerabilities, organizations that depend on the NVD to manage their prioritization and patching cadence are likely to be adversely affected. 

The FiveHands ransomware group used publicly available tools to unobtrusively penetrate weak points and access credentials. Researchers have found that the tactics employed by the group are similar to the methods used by the DarkSide group, namely, encrypting a target’s data, stealing some of it, and threatening to leak the same online if the ransom is not paid. 


Vulnerability Analysis of CVE exploited by FiveHands Ransomware Group


It has been found that a security flaw in SonicWall Virtual Private Network (VPN) SMA100 served as the first attack vector. This allowed the attackers behind FiveHands to infiltrate internal systems by submitting a specially crafted query. The attack occurred within a few days of the CVE becoming publicly available in the NVD.

 

A Timeline Analysis of CVE-2021-20016

Vendor publishes CVE January 23, 2021
Ransomware exploits CVE Between January 23 and February 3, 2021
Patch releases for CVE February 3, 2021
NVD publishes CVE February 4, 2021
CVE starts trending May 2021

 

We analyzed the exploited SonicWall loophole and have outlined our findings below. 

  • CVE-2021-20016 was an SQL injection vulnerability in the SonicWall Secure Mobile Access (SMA) 100 Series VPN appliance.
  • The CVE has been marked as a critical vulnerability with a CVSS V3 score of 9.8.
  • It is categorized under CWE-89 - a weakness category that could result in the misuse of sensitive data in the SQL database. Incidentally, CWE-89 ranks sixth among the top 25 dangerous software weaknesses released by MITRE.
  • The vulnerability was seen across six products from SonicWall:
    • SMA 100 firmware
    • SMA 200 firmware
    • SMA 210 firmware
    • SMA 400 firmware
    • SMA 410 firmware
    • SMA 500V
  • A patch has been available since February 3, 2021 and yet we found that the CVE is still trending, highlighting the fact that organizations are not prioritizing weaknesses based on their threat context. 
  • Researchers tracked the group behind FiveHands as UNC2447, an uncategorized Advanced Persistent Threat (APT) group. Only ongoing research will reveal if FiveHands is an existing APT group or a new find altogether.

Incidentally, the CVE-2021-20016 used by FiveHands was also exploited in the recent Colonial Pipeline attack by the DarkSide ransomware group in May 2021.


Attack Methodology


The ransomware intrusions in the SonicWall attack leveraged a combination of testing and exploitation tools to steal data and encrypt files. The attackers demanded a ransom, failing which the stolen data was to be leaked on hacker forums.

  • A PowerShell dropper, Warprism, was used to discreetly gain initial access into the application.
  • A command-line utility tool, Foxgrabber, was used to extract user credentials from remote systems.
  • A Cobalt Strike payload, the Beacon HTTPS Stager, was deployed to command and control the compromised host using HTTPS protocol.
  • The components of UNC2447 toolbox were utilized to manipulate Windows security settings, firewall rules, and antivirus protection.
  • Finally, the payload was introduced directly into memory via a SombRAT remote access trojan, providing for file obfuscation and arbitrary code execution.


Sectors Impacted 


Companies from multiple industrial sectors have been affected by FiveHands Ransomware. Primarily, these attacks have been observed in healthcare, telecommunications, construction, engineering, education, real estate, and food and beverage organizations.

 

Geographically, the threat group behind the attacks has been observed focusing on organizations across Europe and North America, and more recently the US and Japan. 

Predicting potentially dangerous consequences, the Cybersecuirty and Infrastructure Security Agency (CISA) issued an alert on May 6, 2021 declaring the FiveHands ransomware variant as a cause for concern.

 

FiveHands MITRE ATT&CK Mapping

 

MITRE ATT&CK IOC
T1190 - Exploit Public-Facing Application
TA0007 - Discovery
T1046 - Network Service Scanning

MD5 Hashes:

1a79b6d169aac719c9323bc3ee4a8361
1b0b9e4cddcbcb02affe9c8124855e58
22d35005e926fe29379cb07b810a6075
39ea2394a6e6c39c5d7722dc996daf05
46ecc24ef6d20f3eaf71ff37610d57d1
57824214710bc0cdb22463571a72afd0
6c849920155f48d4b4aafce0fc49eb5b
87c0b190e3b4ab9214e10a2d1c182153
a64d79eba40229ae9aaebbd73938b985
c095498fc44d680ad8b4efeb014d339f
f568229e696c0e82abb35ec73d162d5e

SHA256 Hashes:

2703aba98d6ecf0bf0b5aafe70edc4bc14d223a11021990bfb10acf5641d3a12
 


 
A Risk-Based Approach to Ransomware 

Ransomware attacks are on the rise and the attack methods are constantly evolving. As evident from the recent SonicWall VPN and Colonial Pipeline attacks, threat actors have begun exploiting yet to be published zero-day vulnerabilities. Huge ransomware payouts are emboldening attackers to target critical entities. Organizations need to adopt a risk-based approach to continuously identify, prioritize, and remediate vulnerabilities immediately.

 

To implement this approach, organizations need to be supported by an Attack Surface Management (ASM) solution that provides timely updates and accurate threat context on currently trending vulnerabilities. 

 

Concerned about being targeted by ransomware attacks?  

Get in touch with us for a Ransomware Assessment.

 

CSW’s Ransomware Assessment is powered by Vulnerability Intelligence (VI), a dynamic and current single source of truth that looks beyond the NVD to collate a comprehensive list of vulnerabilities and associated ransomware. Backed by this database, CSW helps organizations prioritize vulnerabilities and provides a threat context to their risks.


 

Test your defense to know how secure you are…