A threat player is compromising telecommunications companies & targeted financial & professional consulting industries using an Oracle flaw.
A previously known group, called UNC1945, has been compromising telecommunications companies & targeting financial & professional consulting industries, by exploiting a security flaw in Oracle’s Solaris operating system.
Researchers explained that the group was exploiting the bug when it was a zero-day, long before a patch arrived.
October 2020 Critical Patch Update
The bug, CVE-2020-14871, was recently looked-at in Oracle’s October 2020 Critical Patch Update. The vulnerability exists in the Oracle Solaris Pluggable Authentication Module (PAM) & allows an unauthenticated attacker with network access via multiple protocols to exploit & compromise the operating system. Threat players utilised a remote exploitation tool, which researchers call “EVILSUN,” to exploit the flaw.
“In mid-2020, we observed UNC1945 deploy EVILSUN—a remote-exploitation tool containing a zero-day exploit for CVE-2020-14871 — on a Solaris 9 server,” commented researchers with FireEye, in a Mon. analysis. “At the time, connections from the server to the threat actor’s IP address were observed over port 8080.”
Researchers 1st saw threat players gaining access to a Solaris server & installing a backdoor (tracked as SLAPSTICK) in late 2018. A day after, the threat player executed a custom Linux backdoor (called LEMONSTICK by researchers) on the workstation.
This backdoor’s capabilities include command execution, file transfer & execution, & the ability to establish tunnel connections, allowing attackers to capture connection details & credentials to facilitate further compromise.
After a 519-day ‘dwell time’, during which researchers say there was “insufficient available evidence” to track the group, the next indication of activity was in mid-2020. At this time, a different Solaris server was observed connecting to the threat actor’s infrastructure, outlined researchers.
Researchers also observed an April post on a black-market website, marketing an “Oracle Solaris SSHD Remote Root Exploit” that cost approximately $3,000, which they say may be identifiable as EVILSUN.
After the initial infection, UNC1945 was observed dropping a custom QEMU virtual machine (VM) on multiple hosts. This was executed in Linux systems by launching a ‘start.sh’ script, which contained TCP forwarding settings. These settings “could be used by the threat player in conjunction with the SSH tunnels to give direct access from the threat actor VM to the command-&-control server to obfuscate interaction with customer infrastructure,” explained researchers.
The VM also contained various tools, such as network scanners, exploits & reconnaissance tools. Tiny Core Linux pre-loaded tools included Mimikatz, Powersploit, Responder, Procdump, CrackMapExec, PoshC2, Medusa, JBoss Vulnerability Scanner & more.
The threat player also deployed various anti-detection tools & anti-forensics techniques.
For instance, it placed its tool & output files in temporary file-system mount points that were stored in volatile memory, used built-in utilities & public tools — like Linux commands — to modify timestamps & used LOGBLEACH to clean logs to thwart forensic analysis.
LOGBLEACH is an ELF utility with a functionality of deleting log entries from a specified log file based on a filter provided via command line.
“To further obfuscate activity, a Linux ELF packer named STEELCORGI was executed in memory on the Solaris system,” outlined researchers. “The malware contains various anti-analysis techniques, including anti-debugging, anti-tracing, & string obfuscation. It uses environment variables as a key to unpack the final payload.”
When it established a foothold, UNC1945 collected credentials via SLAPSTICK & open source tools such as Mimikatz. It then escalated privileges, & successfully moved laterally through multiple networks.
UNC1945 also downloaded various post-exploitation tools, such as PUPYRAT, an open source, cross-platform multi-functional remote administration & post-exploitation tool mainly written in Python; as well as a BlueKeep scanning tool. BlueKeep (CVE-2019-0708) is a security vulnerability that was discovered in Microsoft’s Remote Desktop Protocol (RDP) implementation, which allows for the possibility of remote code execution.
Despite the multi-staged operation, researchers said they did not observe evidence of data exfiltration & were unable to determine UNC1945’s mission for most of the intrusions investigated.
“UNC1945 targeted Oracle Solaris operating systems, utilised several tools & utilities against Windows & Linux operating systems, loaded & operated custom virtual machines, & employed techniques to evade detection,” stated researchers.
“UNC1945 demonstrated access to exploits, tools & malware for multiple operating systems, a disciplined interest in covering or manipulating their activity, & displayed advanced technical abilities during interactive operations.”