Monday, June 16, 2025
HomeRansomwareHackers Abuses SonicWall Zero-day to Deploy New Ransomware

Hackers Abuses SonicWall Zero-day to Deploy New Ransomware

Published on

SIEM as a Service

Follow Us on Google News

The cybersecurity research team at FireEye has recently detected back to back three vulnerability in Sonicwall’s email security software.

In a regular analysis, the experts have again detected that a threat group, UNC2447, is financially very motivated is continuously exploiting SonicWall VPN zero-day (CVE-2021-20016) vulnerability.

According to the report from FireEye, this vulnerability is prior to a currently available patch and is continuously deploying the sophisticated ransomware.

- Advertisement - Google News

The experts, after detecting the ransomware they named it as FiveHands and pronounced that this is quite similar to the malware that is designated as HelloKitty.

Surreptitious HelloKitty

However, the attack in which the threat actors have implemented FiveHands was initially detected in October 2020. As we said above that FiveHands is very similar to the HelloKitty malware.

HelloKitty was discovered as it has attacked video game development studio CD Projekt Red, it has encrypted the game system. 

Once the encryption is done, the threat actors have stolen the source code for Cyberpunk 2077, Gwent, Witcher 3, and not only this, but they also attacked an unreleased version of Witcher 3.

The attack rate of HelloKitty decreased as the use of the FiveHands attack increased. Rather than similar feature and functionality, both of them were also linked by Mandiant.

The specialists came to know about the link after a month of observing the FiveHands ransomware Tor chat using a HelloKitty favicon.

UNC2447 affiliates also deployed “Ragnar Locker”

The threat actors keep an eye upon their victims through the FiveHands ransomware; after that, the hackers violently applied pressure upon the victims with media attention threats.

The threat actors also offer victim data for sale on hacker forums, and according to the cybersecurity researchers, the UNC2447 associates have observed many sources so that they can easily implement Ragnar Locker ransomware activity.

However, the similarities of HelloKitty and FiveHands, are quite visible, but ransomware may be utilized by different groups via underground affiliate programs. 

Unlike, HelloKitty, FiveHands has improved ad worked on its predecessors by utilizing a new, memory-only dropper. Later, the threat actors have applied encryption to a larger array of file types.

Moreover, the zero-day has again being exploited by some other group named UNC2682 to backdoor systems. But, still, this group has used BEHINDER web shells to move safely through the victims’ networks and quickly gain access to the emails and all other files.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Kali Linux 2025.2 Released: New Tools, Smartwatch and Car Hacking Added

Kali Linux, the preferred distribution for security professionals, has launched its second major release...

Arsen Launches AI-Powered Vishing Simulation to Help Organizations Combat Voice Phishing at Scale

Arsen, the cybersecurity startup known for defending organizations against social engineering threats, has announced...

NIST Releases New Guide – 19 Strategies for Building Zero Trust Architectures

The National Institute of Standards and Technology (NIST) has released groundbreaking guidance to help...

Spring Framework Flaw Enables Remote File Disclosure via “Content‑Disposition” Header

A medium-severity reflected file download (RFD) vulnerability (CVE-2025-41234) in VMware's Spring Framework has been...

Credential Abuse: 15-Min Attack Simulation

Credential Abuse Unmasked

Credential abuse is #1 attack vector in web and API breaches today (Verizon DBIR 2025). Join our live, 15-min attack simulation with Karthik Krishnamoorthy (CTO - Indusface) and Phani Deepak Akella (VP of Marketing - Indusface) to see hackers move from first probe to full account takeover.

Discussion points


Username & email enumeration – how a stray status-code reveals valid accounts.
Password spraying – low-and-slow guesses that evade basic lockouts.
Credential stuffing – lightning-fast reuse of breach combos at scale.
MFA / session-token bypass – sliding past second factors with stolen cookies.

More like this

Unpatched IT Tool Opens Door – Hackers Breach Billing Software Firm via SimpleHelp RMM

Cybersecurity professionals and business leaders are on high alert following a confirmed breach of...

Fog Ransomware Uses Pentesting Tools to Steal Data and Launch Attacks

Fog ransomware incidents in recent years have exposed a dangerous new trend in cybercrime:...

Sensata Technologies Faces Disruption Due to Ransomware Attack

Sensata Technologies, Inc., a major technology company based in Attleboro, Massachusetts, has disclosed a...