FireEye’s investigation wing, Mandiant, has documented a new cybercrime group named UNC1945, which is actively exploiting a zero-day in Oracle’s Solaris OS. The group’s found installing a backdoor for lateral movement and a QEMU VM for avoiding detection. Oracle has already released a patch for the zero-day vulnerability that UNC1945 is exploiting.
Using Free and Custom Exploitation Tools
Mandiant, FireEye’s investigation unit, a cybersecurity firm, has released a report about a new threat actor named UNC1945. The group’s activities date back to 2018, targeting telecommunications, consulting, and financial fields. Mandiant started having a serious look starting this year, where it’s found to be targeting a bug in Oracle’s Solaris OS.
It’s reported that UNC1945 is using a combination of open-source and custom-made exploitation tools, letting them bypass the bug and install a backdoor. The zero-day vulnerability they’re targeting is in Solaris Pluggable Authentication Module (PAM). Tracked as CVE-2020-14871, it led the threat actors to bypass the authentication procedures and installed a SLAPSTICK backdoor.
And to avoid being detected, the group is routing this process through a QEMU virtual machine that comes as inbuilt with the exploitation packages and runs on Tiny Core Linux OS. Since running the exploitation in a VM means safe, it proceeds to expand horizontally in the network.
The group initially scans the internet for the weak Solaris OS running servers and deploy tools to enter in. Researchers said the tools they used herein are mostly open-source, like Responder, Procdump, CrackMapExec, Powersploit, PoshC2, JBoss Vulnerability Scanner, Medusa, and Mimikatz. Also, some custom-made tools like EVILSUN, LEMONSTICK, LOGBLEACH, OPENSHACKLE, STEELCORGI, and SLAPSTICK.
Mandiant said the exploit for this zero-day could’ve been brought by the UNC1945 from the darknet, as they’ve seen an ad in a black-market website in April this year, which is selling “Oracle Solaris SSHD Remote Root Exploit” for $3,000. They have reported this vulnerability to Oracle immediately, and the maker has released a patch too, but not all of them have applied it. Thus exploitations continue.