FireEyeโs investigation wing, Mandiant, has documented a new cybercrime group named UNC1945, which is actively exploiting a zero-day in Oracleโs Solaris OS. The groupโs found installing a backdoor for lateral movement and a QEMU VM for avoiding detection. Oracle has already released a patch for the zero-day vulnerability that UNC1945 is exploiting.
Using Free and Custom Exploitation Tools
Mandiant, FireEyeโs investigation unit, a cybersecurity firm, has released a report about a new threat actor named UNC1945. The groupโs activities date back to 2018, targeting telecommunications, consulting, and financial fields. Mandiant started having a serious look starting this year, where itโs found to be targeting a bug in Oracleโs Solaris OS.
Itโs reported that UNC1945 is using a combination of open-source and custom-made exploitation tools, letting them bypass the bug and install a backdoor. The zero-day vulnerability theyโre targeting is in Solaris Pluggable Authentication Module (PAM). Tracked as CVE-2020-14871, it led the threat actors to bypass the authentication procedures and installed a SLAPSTICK backdoor.
And to avoid being detected, the group is routing this process through a QEMU virtual machineย that comes as inbuilt with the exploitation packages and runs on Tiny Core Linux OS. Since running the exploitation in a VM means safe, it proceeds to expand horizontally in the network.
The group initially scans the internet for the weak Solaris OS running servers and deploy tools to enter in. Researchers said the tools they used herein are mostly open-source, like Responder, Procdump, CrackMapExec, Powersploit, PoshC2, JBoss Vulnerability Scanner, Medusa, and Mimikatz. Also, some custom-made tools like EVILSUN, LEMONSTICK, LOGBLEACH, OPENSHACKLE, STEELCORGI, and SLAPSTICK.
Mandiant said the exploit for this zero-day couldโve been brought by the UNC1945 from the darknet, as theyโve seen an ad in a black-market website in April this year, which is selling โOracle Solaris SSHD Remote Root Exploitโ for $3,000. They have reported this vulnerability to Oracle immediately, and the maker has released a patch too, but not all of them have applied it. Thus exploitations continue.