UNC1945 hackers attacked company networks through 0-day on Oracle Solaris

Recently, for some reason, Oracle has been especially “lucky”. Specialists of the Mandiant cybersecurity company FireEye published a report on the activities of the cybercriminal group UNC1945, exploiting a zero-day vulnerability in Oracle Solaris to gain access to corporate networks.

Typically, the group attacks telecommunications, financial and consulting companies. Although UNC1945 has been active since 2018, Mandiant only noticed the group this year, when it began exploiting a previously unknown vulnerability in Oracle Solaris (CVE-2020-14871).

The vulnerability is present in the Pluggable Authentication Module (PAM) and allows to bypass authentication procedures.

“With it, the UNC1945 hackers installed the SLAPSTICK backdoor on vulnerable Solaris servers on the Internet. The backdoor served as an entry point for intelligence operations within corporate networks and lateral movement to other systems”, – tell the Mandiant experts.

To bypass detection, cybercriminals downloaded and installed a QEMU virtual machine running Tiny Core Linux. This customized Linux VM comes by default with a range of hacking tools, including network scanners, password collectors and exploits used by UNC1945 to scan corporate networks for vulnerabilities and lateral movement to other computers, regardless of whether they work under Windows or *NIX systems.

In its attacks, the group uses both legitimate information security tools and open source penetration testing tools (Mimikatz, Powersploit, Responder, Procdump, CrackMapExec, PoshC2, Medusa, and JBoss Vulnerability Scanner), as well as customized malware. Among the author’s malware, researchers note EVILSUN, LEMONSTICK, LOGBLEACH, OKSOLO, OPENSHACKLE, ProxyChains, PUPYRAT, STEELCORGI, SLAPSTICK and TINYSHELL.

“UNC1945 acquired the EVILSUN tool to exploit a zero-day vulnerability in Oracle Solaris and then install the SLAPSTICK backdoor on a cybercrime forum”, — say the experts.

Back in April of this year, experts discovered a site advertising “Oracle Solaris SSHD Remote Root Exploit” for $3,000.

Mandiant notified Oracle of the vulnerability earlier this year, and the company released a patch for it in October.

Let me remind you that recently in Oracle WebLogic was discovered a critical vulnerability, and the company had to release an emergency patch, since hackers have already attacked this bug.