A new hacker group, dubbed UNC1945, which has been observed using a vulnerability in the Oracle’s Solaris OS to hack into corporate networks.
The vulnerability (CVE-2020-14871) in question affects Oracle Solaris versions 10 and 11, and allows an unauthenticated attacker with network access via multiple protocols to compromise Oracle Solaris. The vulnerability exists due to improper input validation within the Pluggable authentication module (PAM) component in Oracle Solaris.
As for UNC1945, the group’s activity dates back to 2018, focusing on organizations in telecommunications, consulting, and financial fields.
“The threat actor demonstrated experience and comfort by utilizing unique tactics, techniques and procedures (TTPs) within Unix environments, demonstrating a high level of acumen in conjunction with ease of operability in Microsoft Windows operating systems. They were successful navigating multiple segmented networks and leveraging third-party access to extend operations well beyond the initial victim.
While UNC1945 has been active for several years, threat actor caught Mandiant’s attention earlier this year when researchers detected attacks leveraging a previously unknown flaw in Oracle Solaris, which was used to bypass authentication procedures and install a backdoor dubbed SLAPSTICK on internet-exposed Solaris servers.
UNC1945 is using a combination of open-source and custom-made exploitation tools, including Mimikatz, Powersploit, Responder, Procdump, CrackMapExec, PoshC2, Medusa, and the JBoss Vulnerability Scanner open-source utilities, as well as
1.EVILSUN (a remote exploitation tool that gains access to Solaris 10 and 11 systems of SPARC or i386 architecture exposed by SSH keyboard-interactive authentication),
2.LEMONSTICK (a custom Linux backdoor),
3.LOGBLEACH (an ELF utility that deletes log entries from a specified log file),
4.OPENSHACKLE (a reconnaissance tool that collects information about logged-on users and saves it to a file),
5.STEELCORGI (a packer for Linux ELF programs that uses key material from the executing environment to decrypt the payload),
6.SLAPSTICK (a Solaris PAM backdoor that grants a user access to the system with a secret, hard-coded password), and other in-house-developed malware.
The hackers use SLAPSTICK backdoor to establish foothold on the system, from there they conduct reconnaissance operations inside corporate networks and move laterally to other systems.
“As part of this multi-stage operation, UNC1945 dropped a custom QEMU Virtual Machine (VM) on multiple hosts, which was executed inside of any Linux system by launching a ‘start.sh’ script. The script contained TCP forwarding settings that could be used by the threat actor in conjunction with the SSH tunnels to give direct access from the threat actor VM to the command and control server to obfuscate interaction with customer infrastructure,” the researchers noted.
To thwart forensic analysis the group uses a slew of custom tools such as the LOGBLEACH and STEELCORGI utilities, with the latter containing various anti-analysis techniques, including anti-debugging, anti-tracing, and string obfuscation.