FiveHands Ransomware Analysis: Can a Risk-Based Approach Help Prevent Future Attacks?

Did you know FiveHands Ransomware is using the same tactics as the DarkSide group?

Early this year, threat actors exploited a vulnerability (CVE-2021-20016) even before the vendor could publish it on the National Vulnerability Database (NVD) and attacked an organization and stole information. A new ransomware family, FiveHands, played a major role in the exploit.

The FiveHands ransomware group used publicly available tools to unobtrusively penetrate weak points and access credentials. Researchers have found that the tactics employed by the group are similar to the methods used by the DarkSide group, namely, encrypting a target’s data, stealing some of it, and threatening to leak the same online if the ransom is not paid.

Vulnerability Analysis of CVE exploited by FiveHands Ransomware Group

It has been found that a security flaw in SonicWall Virtual Private Network (VPN) SMA100 served as the first attack vector. This allowed the attackers behind FiveHands to infiltrate internal systems by submitting a specially crafted query. The attack occurred within a few days of the CVE becoming publicly available in the NVD.

A Timeline Analysis of CVE-2021-20016

Vendor publishes CVE	January 23, 2021
Ransomware exploits CVE	Between January 23 and February 3, 2021
Patch releases for CVE	February 3, 2021
NVD publishes CVE	February 4, 2021
CVE starts trending	May 2021

We analyzed the exploited SonicWall loophole and have outlined our findings below.

CVE-2021-20016 was an SQL injection vulnerability in the SonicWall Secure Mobile Access (SMA) 100 Series VPN appliance.
The CVE has been marked as a critical vulnerability with a CVSS V3 score of 9.8.
It is categorized under CWE-89 – a weakness category that could result in the misuse of sensitive data in the SQL database. Incidentally, CWE-89 ranks sixth among the top 25 dangerous software weaknesses released by MITRE.
The vulnerability was seen across six products from SonicWall:
A patch has been available since February 3, 2021 and yet we found that the CVE is still trending, highlighting the fact that organizations are not prioritizing weaknesses based on their threat context.
Researchers tracked the group behind FiveHands as UNC2447, an uncategorized Advanced Persistent Threat (APT) group. Only ongoing research will reveal if FiveHands is an existing APT group or a new find altogether.

Attack Methodology

The ransomware intrusions in the SonicWall attack leveraged a combination of testing and exploitation tools to steal data and encrypt files. The attackers demanded a ransom, failing which the stolen data was to be leaked on hacker forums.

A PowerShell dropper, Warprism, was used to discreetly gain initial access into the application.
A command-line utility tool, Foxgrabber, was used to extract user credentials from remote systems.
A Cobalt Strike payload, the Beacon HTTPS Stager, was deployed to command and control the compromised host using HTTPS protocol.
The components of UNC2447 toolbox were utilized to manipulate Windows security settings, firewall rules, and antivirus protection.
Finally, the payload was introduced directly into memory via a SombRAT remote access trojan, providing for file obfuscation and arbitrary code execution.

Sectors Impacted

Companies from multiple industrial sectors have been affected by FiveHands Ransomware. Primarily, these attacks have been observed in healthcare, telecommunications, construction, engineering, education, real estate, and food and beverage organizations.

Geographically, the threat group behind the attacks has been observed focusing on organizations across Europe and North America, and more recently the US and Japan.

FiveHands MITRE ATT&CK Mapping

MITRE ATT&CK	IOC
T1190 – Exploit Public-Facing ApplicationTA0007 – DiscoveryT1046 – Network Service Scanning	MD5 Hashes: 1a79b6d169aac719c9323bc3ee4a83611b0b9e4cddcbcb02affe9c8124855e5822d35005e926fe29379cb07b810a607539ea2394a6e6c39c5d7722dc996daf0546ecc24ef6d20f3eaf71ff37610d57d157824214710bc0cdb22463571a72afd06c849920155f48d4b4aafce0fc49eb5b87c0b190e3b4ab9214e10a2d1c182153a64d79eba40229ae9aaebbd73938b985c095498fc44d680ad8b4efeb014d339ff568229e696c0e82abb35ec73d162d5e SHA256 Hashes: 2703aba98d6ecf0bf0b5aafe70edc4bc14d223a11021990bfb10acf5641d3a12

MITRE ATT&CK

IOC

T1190 – Exploit Public-Facing ApplicationTA0007 – DiscoveryT1046 – Network Service Scanning

MD5 Hashes:

1a79b6d169aac719c9323bc3ee4a83611b0b9e4cddcbcb02affe9c8124855e5822d35005e926fe29379cb07b810a607539ea2394a6e6c39c5d7722dc996daf0546ecc24ef6d20f3eaf71ff37610d57d157824214710bc0cdb22463571a72afd06c849920155f48d4b4aafce0fc49eb5b87c0b190e3b4ab9214e10a2d1c182153a64d79eba40229ae9aaebbd73938b985c095498fc44d680ad8b4efeb014d339ff568229e696c0e82abb35ec73d162d5e

SHA256 Hashes:

2703aba98d6ecf0bf0b5aafe70edc4bc14d223a11021990bfb10acf5641d3a12

A Risk-Based Approach to Ransomware

Ransomware attacks are on the rise and the attack methods are constantly evolving. As evident from the recent SonicWall VPN and Colonial Pipeline attacks, threat actors have begun exploiting yet to be published zero-day vulnerabilities. Huge ransomware payouts are emboldening attackers to target critical entities. Organizations need to adopt a risk-based approach to continuously identify, prioritize, and remediate vulnerabilities immediately.

To implement this approach, organizations need to be supported by an Attack Surface Management (ASM) solution that provides timely updates and accurate threat context on currently trending vulnerabilities.

Concerned about being targeted by ransomware attacks?

Get in touch with us for a Ransomware Assessment.

CSW’s Ransomware Assessment is powered by Vulnerability Intelligence (VI), a dynamic and current single source of truth that looks beyond the NVD to collate a comprehensive list of vulnerabilities and associated ransomware. Backed by this database, CSW helps organizations prioritize vulnerabilities and provides a threat context to their risks.