Oracle Solaris operating systems have been at risk for more than two years, including the use of the newly resolved zero-day attack, FireEye reported Monday.
The threatening actor has been discovered, compromising telecommunications companies and using third party networks for certain financial and professional consulting sectors.
During the observed activities, the group used various tools to endanger the operating systems of Windows, Linux and Solaris and the users’ virtual machines, striving to avoid detection.
According to FireEye Mandiant security researchers, the UNC1945 Convention has demonstrated access to exploits, tools and malware for multiple operating systems, a disciplined interest in exposing or manipulating their activities, and advanced technical capabilities in interactive operations.
At the end of 2018, a threat player was spotted hacking into the Solaris server, where the SSH service was opened to install the SLAPSTICK back door and steal the references. The opponent used SSH to connect to the server.
In mid-2020, after a stay of 519 days, another Solaris server connected to the infrastructure of an attacker was seen. The threat actor used an external work tool called EVILSUN to exploit the zero-day action affecting the Solaris 9 server.
A vulnerability tracked as CVE-2020-14871 was reported to Oracle, which considered it part of a critical patch update in October 2020. This error affected the Solaris Plug-in Authentication Module (PAM) and allowed an attacker with network access to compromise the operating system without authentication.
The Iranian also discovered that in April 2020 Oracle Solaris SSHD Remote Root Exploit was offered for approximately $3,000 on the underground market, and noted that this exploitation could be identified with EVILSUN.
In addition, we have confirmed that the Solaris server connected to the Internet has identified critical vulnerabilities, including the possibility of remote operation without authentication, the researchers said.
Using the SLAPSTICK Solaris PAM back door, the threat actor maintained the base on the compromised Solaris 9 server. After the malware was placed on the compromised system, the enemy installed a backdoor for Linux users called LEMONSTICK on the workstation to simplify command execution, connection tunneling, and file transfer and execution.
UNC1945 supported access via the SSH port forwarding mechanism and removed the QEMU user VM on multiple hosts by using the start.sh script to run it on any Linux system. The script contained TCP rerouting parameters, while VM tools such as Mimikatz, Powersploit, Responder, Procdump, CrackMapExec, PoshC2, Medusa, JBoss Vulnerability Scanner and many others were pre-installed.
The enemy used non-volatile memory to reduce operational visibility, manipulated time stamps and log files with built-in utilities and publicly available tools, and applied anti-criminal methods. In addition, hackers collected references, increased their privileges and went sideways into the compromised environment.
The open source remote access tool PUPYRAT was also used. On one of the targets, the enemy used three different back rooms after the first compromise: SLAPSTIC, TINICHELLE and Oxolo. In a Windows environment, IMPACKET has been used in conjunction with SMBEXEC to execute commands remotely. The BlueKeep scanning instrument was also used.
According to the Mandiant, despite the multi-stage operation, no data sex filtration seems to have taken place. However, in one case the purchase of ROLLCOAST was used as the final phase of the operation, but it is not clear whether UNC1945 was responsible for this operation, as access to the compromised environment could have been sold to another unit.
The ease and breadth of the activity in which UNC1945 carried out this campaign suggests that a complex and intractable subject, which is easy to operate with different operating systems, has access to resources and many tools. Given the above factors, the use of zero-day exploits and virtual machines, and the ability to cross multiple third-party networks, Mandiant expects this threat-driven player to continue to focus on key industries, the researchers concluded.
That’s what it looks like: Update Oracle’s inaccessibility issues for critical vulnerabilities exploited in attacks
That’s what it looks like: Oracle’s mainframe includes 402 new security patches as of October 2020.
Ionat Argir is the international correspondent for Security Week.
Previous chronicles of Ionat Argir:
cve-2020-14871 poc,cve-2020-14871 solaris,evilsun,pluggable authentication module,cve-2020-14750,cve-2020-14882