HelloKitty is launching a DDoS attack by exploiting known vulnerabilities

THREAT LEVEL: Red.

For a detailed advisory, download the pdf file here.

The FBI has issued a warning to private businesses about a new feature of the HelloKitty ransomware group (aka FiveHands). The Hello Kitty/FiveHands actor (UNC2447) employs the double extortion strategy to place undue pressure on victims. If the victim fails to respond quickly or pay the ransom, the threat actors may launch a Distributed Denial of Service (DDoS) attack on the target company's public website. HelloKitty achieves first access by exploiting known SonicWall flaws (CVE-2021-20016, CVE-2021-20021, CVE-2021-20022, CVE-2021-20023). Patches for these vulnerabilities are widely accessible.

Vulnerability Details

Actors Details

Indicators of Compromise (IoCs)

Patch Link

<https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0001&gt;

<https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0007&gt;

<https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0008&gt;

<https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0010&gt;

References

<https://www.ic3.gov/Media/News/2021/211029.pdf&gt;

<https://apt.thaicert.or.th/cgi-bin/showcard.cgi?g=UNC2447&gt;

<https://securityaffairs.co/wordpress/124059/malware/hellokitty-ransomware-fbi-alert.html&gt;