FireEye: UNC1945 Focuses on Telecom, Financial And Consulting Firm Targets
A recently identified hacking group dubbed UNC1945 used a never-before-seen zero-day vulnerability in the Oracle Solaris operating system to target corporate networks, according to an analysis published this week by FireEye Mandiant.
While the use of this zero-day exploit in Oracle Solaris happened earlier this year, the report notes that UNC1945 has been operating since at least 2018, and has mainly focused on telecommunication, financial and consulting firms as targets.
In addition to the zero-day exploit, the UNC1945 group also targets Windows and Linux devices and operates a wide range of custom tools and malware, according to the report. It is, however, the exploit of the zero-day vulnerability in Oracle Solaris that caught researchers’ attention.
“The ease and breadth of exploitation in which UNC1945 conducted this campaign suggests a sophisticated, persistent actor comfortable exploiting various operating systems, and access to resources and numerous toolsets,” according to the report. “Given the aforementioned factors, use of zero-day exploits and virtual machines, and ability to traverse multiple third-party networks, Mandiant expects this motivated threat actor to continue targeted operations against key industries while taking advantage of operating systems that likely have inadequate security visibility.”
The exact motives of UNC1945 are currently unknown. In the campaign that Mandiant examined, the researchers found no evidence of data exfiltration, and while there were traces of ransomware in one victim’s infrastructure, it’s not clear if this hacking group or another threat actor planted the crypto-locking malware in the exposed network, according to the report.
The zero-day bug in the Oracle Solaris, which is now tracked as CVE-2020-14871 is an authentication vulnerability in versions 10 and 11 of the operating system. The flaw had gone undetected until Mandiant researchers found UNC1945 exploiting it has part of the campaign from earlier this year.
After finding that the vulnerability had been exploited, Mandiant contacted Oracle about the bug, and the software firm issued a patch as part of its October security update, according to the report.
The Mandiant report notes the UNC1945 hacking group bought the zero-day exploit, called “EvilSun,” from a black-market website for approximately $3,000 in April. The vulnerability itself is found within the Solaris Pluggable Authentication Module and then allowed the threat actor to install a backdoor with the compromised network.
The backdoor, called Slapstick, was then used by the hacking group to gain access and then to move laterally through the network, according to the report. Also, the group used this malware, along with open source tools such as Mimikatz, to collect credentials and passwords.
Besides using the zero-day exploit and deployment of the Slapstick backdoor, the Mandiant researcher noted that UNC1945 utilized a custom QEMU virtual machine on multiple hosts throughout the compromised network. QEMU is an open source emulator that can perform hardware virtualization.
This virtual machine also ran on its own version of the Tiny Core Linux operating system, according to the report. The combination of the virtual machine and Linux OS allowed the hacking group to remain undetected in the network and gave it the ability to deploy several tools including Mimikatz, Powersploit, Responder, Procdump, CrackMapExec, PoshC2, Medusa and the JBoss vulnerability scanner.
In addition to these tools, UNC1945 deploys malware such as Lemonstick, which also functions as a backdoor and can executive and transfer files as well as make tunnel connections to a command-and-control server. The group also uses PuppyRAT, a remote access Trojan, according to the report.
Another tool called Logbleach helps the hacking group avoid detection and can delete log entries from the network, according to the report.