A previously known threat group, called UNC1945, has been compromising telecommunications companies and targeting financial and professional consulting industries, by exploiting a security flaw in Oracle’s Solaris operating system.
Researchers said that the group was exploiting the bug when it was a zero-day, long before a patch arrived.
The bug, CVE-2020-14871, was recently addressed in Oracle’s October 2020 Critical Patch Update. The vulnerability exists in the Oracle Solaris Pluggable Authentication Module (PAM) and allows an unauthenticated attacker with network access via multiple protocols to exploit and compromise the operating system. Threat actors utilized a remote exploitation tool, which researchers call “EVILSUN,” to exploit the flaw.
“In mid-2020, we observed UNC1945 deploy EVILSUN—a remote-exploitation tool containing a zero-day exploit for CVE-2020-14871 — on a Solaris 9 server,” said researchers with FireEye, in a Monday analysis. “At the time, connections from the server to the threat actor’s IP address were observed over port 8080.”
Researchers first observed threat actors gaining access to a Solaris server and installing a backdoor (tracked as SLAPSTICK) in late 2018. A day later, the threat actor executed a custom Linux backdoor (called LEMONSTICK by researchers) on the workstation. This backdoor’s capabilities include command execution, file transfer and execution, and the ability to establish tunnel connections – allowing attackers to capture connection details and credentials to facilitate further compromise.
After a 519-day dwell time, during which researchers say there was “insufficient available evidence” to track the group, the next indication of activity was in mid-2020. At this time, a different Solaris server was observed connecting to the threat actor’s infrastructure, said researchers.
Researchers also observed an April post on a black-market website, marketing an “Oracle Solaris SSHD Remote Root Exploit” that cost approximately $3,000, which they say may be identifiable as EVILSUN.
Attack Details
After the initial infection, UNC1945 was observed dropping a custom QEMU virtual machine (VM) on multiple hosts. This was executed in Linux systems by launching a ‘start.sh’ script, which contained TCP forwarding settings. These settings “could be used by the threat actor in conjunction with the SSH tunnels to give direct access from the threat actor VM to the command-and-control server to obfuscate interaction with customer infrastructure,” said researchers.
The VM also contained various tools, such as network scanners, exploits and reconnaissance tools. Tiny Core Linux pre-loaded tools included Mimikatz, Powersploit, Responder, Procdump, CrackMapExec, PoshC2, Medusa, JBoss Vulnerability Scanner and more.
The threat actor also deployed various anti-detection tools and anti-forensics techniques.
For instance, it placed its tool and output files in temporary file-system mount points that were stored in volatile memory, used built-in utilities and public tools — like Linux commands — to modify timestamps and used LOGBLEACH to clean logs to thwart forensic analysis. LOGBLEACH is an ELF utility with a functionality of deleting log entries from a specified log file based on a filter provided via command line.
“To further obfuscate activity, a Linux ELF packer named STEELCORGI was executed in memory on the Solaris system,” said researchers. “The malware contains various anti-analysis techniques, including anti-debugging, anti-tracing, and string obfuscation. It uses environment variables as a key to unpack the final payload.”
Once it established a foothold, UNC1945 collected credentials via SLAPSTICK and open source tools such as Mimikatz. It then escalated privileges, and successfully moved laterally through multiple networks.
UNC1945 also downloaded various post-exploitation tools, such as PUPYRAT, an open source, cross-platform multi-functional remote administration and post-exploitation tool mainly written in Python; as well as a BlueKeep scanning tool. BlueKeep (CVE-2019-0708) is a security vulnerability that was discovered in Microsoft’s Remote Desktop Protocol (RDP) implementation, which allows for the possibility of remote code execution.
Despite the multi-staged operation, researchers said they did not observe evidence of data exfiltration and were unable to determine UNC1945’s mission for most of the intrusions investigated.
“UNC1945 targeted Oracle Solaris operating systems, utilized several tools and utilities against Windows and Linux operating systems, loaded and operated custom virtual machines, and employed techniques to evade detection,” said researchers. “UNC1945 demonstrated access to exploits, tools and malware for multiple operating systems, a disciplined interest in covering or manipulating their activity, and displayed advanced technical abilities during interactive operations.”
Hackers Put Bullseye on Healthcare: On Nov. 18 at 2 p.m. EDT find out why hospitals are getting hammered by ransomware attacks in 2020. Save your spot for this FREE webinar on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this LIVE, limited-engagement webinar.