Mandiant, the investigations unit of security firm FireEye, has published details today about a new threat actor it calls UNC1945 that the security firm says it used a zero-day vulnerability in the Oracle Solaris operating system as part of its intrusions into corporate networks.
Regular targets of UNC1945 attacks included the likes of telecommunications, financial, and consulting companies, the Mandiant team said in a report published today.
While UNC1945 activity went as far back as 2018, Mandiant said the group caught their eye earlier this year after the threat actor utilized a never-before-seen vulnerability in the Oracle Solaris operating system.
Tracked as CVE-2020-14871, the zero-day was a vulnerability in the Solaris Pluggable Authentication Module (PAM) that allowed UNC1945 to bypass authentication procedures and install a backdoor named SLAPSTICK on internet-exposed Solaris servers.
Mandiant said the hackers then used this backdoor as an entry point to launch reconnaissance operations inside corporate networks and move laterally to other systems.
To avoid detection, Mandiant said the group downloaded and installed a QEMU virtual machine running a version of the Tiny Core Linux OS.
This custom-made Linux VM came pre-installed with several hacking tools like network scanners, password dumpers, exploits, and reconnaissance toolkits that allowed UNC1945 to scan a company's internal network for weaknesses and move laterally to multiple systems, regardless if they ran Windows or *NIX-based systems.
Mandiant said it observed the group using an assortment of open-source penetration testing and security tools, but also custom malware strains.
The open-source toolkits included the likes of Mimikatz, Powersploit, Responder, Procdump, CrackMapExec, PoshC2, Medusa, and the JBoss Vulnerability Scanner, all well-known in the cyber-security industry.
But UNC1945 also showed the ability to create and operate custom malware, with Mandiant linking UNC1945 intrusions to (new and old) malware strains like:
Mandiant said it believes that UNC1945 bought EVILSUN (the tool that allowed them to exploit the Solaris zero-day and plant the SLAPSTICK backdoor) from a public hacking forum.
The company said it identified an ad in April 2020 on a black-market website that promoted an "Oracle Solaris SSHD Remote Root Exploit" for $3,000.
Mandiant said it reported the Solaris zero-day to Oracle earlier this year, after discovering traces of exploitation during an investigation.
The zero-day (CVE-2020-14871) was patched last month in Oracle's October 2020 security patches.
Mandiant said that while UNC1945 has been active for several years, it spotted the Solaris zero-day in one confirmed breach; however, this doesn't mean the zero-day wasn't exploited against other corporate networks.
The security firm said it "did not observe evidence of data exfiltration and was unable to determine UNC1945's mission for most of the intrusions [they] investigated."
In one UNC1945 intrusion, ransomware was deployed as a final payload, but Mandiant couldn't link the ransomware attack to UNC1945 directly, and "is likely that access to the victim environment was sold to another group."
Indicators of compromise and other technical details describing UNC1945 operations and intrusion patterns are available for defenders in the Mandiant report here.