Researchers from FireEye reported that a sophisticated threat actor, tracked as UNC1945, has been observed targeting Oracle Solaris operating systems for over two years.
The codename “UNC” used to track the group is used by FireEye for uncategorized groups
According to the experts, the attackers also used an exploit for a recently addressed zero-day vulnerability(CVE-2020-14871) in Oracle Solaris.
The UNC1945 group carried out attacks aimed at telecommunications companies and leveraged third-party networks to target specific financial and professional consulting industries.
“UNC1945 targeted Oracle Solaris operating systems, utilized several tools and utilities against Windows and Linux operating systems, loaded and operated custom virtual machines, and employed techniques to evade detection.” reads the report published by FireEye. “UNC1945 demonstrated access to exploits, tools and malware for multiple operating systems, a disciplined interest in covering or manipulating their activity, and displayed advanced technical abilities during interactive operations.”
In late 2018, the UNC1945 group was spotted compromising a Solaris server that had the SSH service exposed to the Internet to install a backdoor dubbed SLAPSTICK and steal credentials to use in later attacks.
519 later, in mid-2020, researchers observed another Solaris server that was connecting to the infrastructure previously associated with the attackers. In this case, the attackers deployed a remote exploitation tool dubbed EVILSUN designed to exploit the zero-day vulnerability CVE-2020-14871 in Solaris 9 server.
FireEye/Mandiant reported as the CVE-2020-14871 to Oracle, the IT giant addressed it with the release of the October 2020 Critical Patch Update. The CVE-2020-14871 flaw affects the Solaris Pluggable Authentication Module (PAM) and can allow an unauthentication attacker with network access to compromise the operating system.
In April 2020, researchers from Mandiant also discovered the availability of an ‘Oracle Solaris SSHD Remote Root Exploit’ on an underground marketplace. The exploit identified with EVILSUN is available for approximately $3,000 USD.
“According to an April 2020 post on a black-market website, an “Oracle Solaris SSHD Remote Root Exploit” was available for approximately $3,000 USD, which may be identifiable with EVILSUN.” reads the analysis published by Mandiant.
“Additionally, we confirmed a Solaris server exposed to the internet had critical vulnerabilities, which included the possibility of remote exploitation without authentication.”
The threat actor established a foothold on a Solaris 9 server by using the Solaris Pluggable Authentication Module SLAPSTICK backdoor.
Once established the backdoor, the threat actor dropped a custom Linux backdoor called LEMONSTICK on the workstation to achieve command execution, connection tunneling, and file transfer and execution.
UNC1945 obtained and maintained access to their external infrastructure using an SSH Port Forwarding mechanism,
UNC1945 maintained access using an SSH Port Forwarding mechanism, experts observed the group dropping a custom QEMU VM on multiple hosts, using a ‘start.sh’ script to have it executed inside of any Linux system.
The script contained TCP forwarding settings while the VM had preloaded multiple hacking tools, including post-exploitation applications, network scanners, exploits and reconnaissance tools. The list of preloaded tools included Mimikatz, Powersploit, Responder, Procdump, CrackMapExec, PoshC2, Medusa, and JBoss Vulnerability Scanner.
To evade detection, the threat actor placed tool and output files within temporary file system mount points that were stored in volatile memory. UNC1945 also used built-in utilities and public tools to modify timestamps and selectively manipulate Unix log files.
The attackers also collected credentials, escalated privileges, and moved laterally through multiple networks.
“UNC1945 used ProxyChains to download PUPYRAT, an open source, cross-platform multi-functional remote administration and post-exploitation tool mainly written in Python.” continues the report.
“At one target, the threat actor used a virtual machine to initiate a brute-force of SSH targeting Linux and HP-UX endpoints. Beginning with seemingly random usernames and shifting to legitimate Linux and Windows accounts, the threat actor successfully established SSH connections on a Linux endpoint. After successfully escalating privileges on an HP-UX endpoint and a Linux endpoint, UNC1945 installed three backdoors: SLAPSTICK, TINYSHELL, and OKSOLO.”
The attackers also used BlueKeep scanning tool to target Windows systems.
Experts noticed that the hackers did not exfiltrate any data from the victims in the observed attacks, in one case, they deployed the ROLLCOAST ransomware.
“The ease and breadth of exploitation in which UNC1945 conducted this campaign suggests a sophisticated, persistent actor comfortable exploiting various operating systems, and access to resources and numerous toolsets.” the researchers conclude. “Given the aforementioned factors, use of zero-day exploits and virtual machines, and ability to traverse multiple third-party networks, Mandiant expects this motivated threat actor to continue targeted operations against key industries,”
(SecurityAffairs – hacking, UNC1945)