Hackers used SonicWall zero-day flaw to plant ransomware


Image: Pixabay

Ransomware group UNC2447 used an SQL injection bug to attack US and European orgs




Read More: security SonicWall

Security researchers have discovered a new strain of ransomware designed to exploit a SonicWall VPN zero-day vulnerability before a patch was available.

According to researchers at Mandiant, the flaw exists in SonicWall’s SMA-100 series of VPN products. Hackers, who Mandiant dubbed UNC2447, targeted organizations in Europe and North America with a new ransomware known as FiveHands, a rewritten version of the DeathRansom ransomware.

Hackers deployed the malware as early as January this year along with Sombrat malware at multiple victims that were extorted. Researchers noted that in one of the ransomware intrusions, the same Warprism and Beacon malware samples previously attributed to UNC2447 were observed. Researchers are certain that the same hacking group used Ragnar Locker ransomware in the past.



“Based on technical and temporal observations of HelloKitty and FiveHands deployments, Mandiant suspects that HelloKitty may have been used by an overall affiliate program from May 2020 through December 2020, and FiveHands since approximately January 2021,” the researchers said.

Researchers said FiveHands is…


Android Users Sue Google Over Alleged Security Flaw Exposing COVID-19 Contact-Tracing Data

Opt-in to Cyber Safety. Multiple layers of protection for your devices, online privacy and more.

Screenshot of CA Notify website. A proposed class action is asking a federal court to order Google to fix an alleged security threat that makes the company’s COVID-19 contact-tracing system developed with Apple less “privacy-preserving” than the tech giants claimed.

Nearly 40 countries and dozens of U.S. states, including California, use the Google-Apple Exposure Notification System (GAEN) for their coronavirus contact-tracing apps. The system leverages Bluetooth technology and deploys safeguards such as randomized identifiers, called rolling proximity identifiers or RPIs, and decentralized storage on devices to protect users’ privacy.

In a complaint filed Wednesday in the U.S. District Court for the Northern District of California, attorneys from Lieff Cabraser Heimann & Bernstein assert that dozens of third parties might have access to the system’s stored data on mobile devices, including personally identifiable information and potential COVID-19 exposure results.


Spy groups hack into companies using zero-day flaw in Pulse Secure VPN

Over the past few months, several cyberespionage groups, including one believed to be tied to the Chinese government, have been breaking into the networks of organizations from the United States and Europe by exploiting vulnerabilities in VPN appliances from zero-trust access provider Pulse Secure. Some of the flaws date from 2019 and 2020, but one was unknown until this month.

“Mandiant is currently tracking 12 malware families associated with the exploitation of Pulse Secure VPN devices,” researchers from Mandiant, the MDR and incident response arm of security vendor FireEye, said in a newly released report. “These families are related to the circumvention of authentication and backdoor access to these devices, but they are not necessarily related to each other and have been observed in separate investigations. It is likely that multiple actors are responsible for the creation and deployment of these various code families.”

Pulse Secure VPN zero-day vulnerability

While investigating breaches this year at various defense, government and financial organizations from around the world, the Mandiant team kept finding malicious activity in the compromised environments tracing back to their Pulse Secure VPN appliances where hackers had obtained administrative access. The experts couldn’t determine how the hackers gained administrative credentials, so it contacted Pulse Secure and its parent company Ivanti. Their investigation concluded that the attackers were likely using known vulnerabilities found and patched over the past two years, but also a previously unknown one.

Tracked as CVE-2021-22893, the flaw allows attackers to bypass authentication on the Pulse Connect Secure (PCS) VPN solution and execute arbitrary code. The vulnerability is rated critical with a severity score of 10 on the CVSS scale. A patch for the issue will be included in version 9.1R.11.4 of the PCS server, which has not been released yet. Until then, the company provided a workaround in the form of an .xml configuration file that can be imported into the appliance. The file will disable the Windows File Share Browser and Pulse Secure Collaboration features of the appliance to block the…


UPDATE 3-At least 10 hacking groups using Microsoft software flaw -researchers

Opt-in to Cyber Safety. Multiple layers of protection for your devices, online privacy and more.

(Adds comment from researchers who discovered flaw, possible methods for leaks)

By Raphael Satter, Christopher Bing and Joseph Menn

WASHINGTON, March 10 (Reuters) – At least 10 different hacking groups are using recently discovered flaws in Microsoft Corp’s mail server software to break in to targets around the world, cybersecurity company ESET said in a blog post on Wednesday.

The breadth of the exploitation adds to the urgency of the warnings being issued by authorities in the United States and Europe about the weaknesses found in Microsoft’s Exchange software.

The security holes in the widely used mail and calendaring solution leave the door open to industrial-scale cyber espionage, allowing malicious actors to steal emails virtually at will from vulnerable servers or move elsewhere in the network. Tens of thousands of organizations have already been compromised, Reuters reported last week, and new victims are being made public daily.

Earlier on Wednesday, for example, Norway’s parliament announced data had been “extracted” in a breach linked to the Microsoft flaws. Germany’s cybersecurity watchdog agency also said on Wednesday two federal authorities had been affected by the hack, although it declined to identify them.

While Microsoft has issued fixes, the sluggish pace of many customers’ updates – which experts attribute in part to the complexity of Exchange’s architecture – means the field remains at least partially open to hackers of all stripes. The patches do not remove any back door access that has already been left on the machines.

In addition, some of the back doors left on compromised machines have passwords that are easily guessed, so that newcomers can take them over.

Microsoft declined comment on the pace of customers’ updates. In previous announcements pertaining to the flaws, the company has emphasized the importance of “patching all affected systems immediately.”

Although the hacking has appeared to be focused on cyber espionage, experts are concerned about the prospect of ransom-seeking cybercriminals taking advantage of the flaws because it could lead to widespread disruption.

ESET’s blog post said there were already signs of cybercriminal exploitation,…