FireEyeโ€™s investigation wing, Mandiant, has documented a new cybercrime group named UNC1945, which is actively exploiting a zero-day in Oracleโ€™s Solaris OS. The groupโ€™s found installing a backdoor for lateral movement and a QEMU VM for avoiding detection. Oracle has already released a patch for the zero-day vulnerability that UNC1945 is exploiting.

Using Free and Custom Exploitation Tools

New Hacker Group Actively Exploiting Zero-Day Bug in Oracle Solaris OS
New Hacker Group Actively Exploiting Zero-Day Bug in Oracle Solaris OS

Mandiant, FireEyeโ€™s investigation unit, a cybersecurity firm, has released a report about a new threat actor named UNC1945. The groupโ€™s activities date back to 2018, targeting telecommunications, consulting, and financial fields. Mandiant started having a serious look starting this year, where itโ€™s found to be targeting a bug in Oracleโ€™s Solaris OS.

Itโ€™s reported that UNC1945 is using a combination of open-source and custom-made exploitation tools, letting them bypass the bug and install a backdoor. The zero-day vulnerability theyโ€™re targeting is in Solaris Pluggable Authentication Module (PAM). Tracked as CVE-2020-14871, it led the threat actors to bypass the authentication procedures and installed a SLAPSTICK backdoor.

And to avoid being detected, the group is routing this process through a QEMU virtual machineย that comes as inbuilt with the exploitation packages and runs on Tiny Core Linux OS. Since running the exploitation in a VM means safe, it proceeds to expand horizontally in the network.

The group initially scans the internet for the weak Solaris OS running servers and deploy tools to enter in. Researchers said the tools they used herein are mostly open-source, like Responder, Procdump, CrackMapExec, Powersploit, PoshC2, JBoss Vulnerability Scanner, Medusa, and Mimikatz. Also, some custom-made tools like EVILSUN, LEMONSTICK, LOGBLEACH, OPENSHACKLE, STEELCORGI, and SLAPSTICK.

Mandiant said the exploit for this zero-day couldโ€™ve been brought by the UNC1945 from the darknet, as theyโ€™ve seen an ad in a black-market website in April this year, which is selling โ€œOracle Solaris SSHD Remote Root Exploitโ€ for $3,000. They have reported this vulnerability to Oracle immediately, and the maker has released a patch too, but not all of them have applied it. Thus exploitations continue.

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here