According to experts, the group acquired an exploit for the CVE-2020-14871 vulnerability on the black market.
Specialists of the Mandiant cybersecurity company FireEye published a report on the activities of the cybercriminal group UNC1945, exploiting a zero-day vulnerability in Oracle Solaris to gain access to corporate networks. Typically, the group attacks telecommunications, financial and consulting companies.
Although UNC1945 has been active since 2018, Mandiant specialists drew attention to the group only this year, when it began to exploit a previously unknown vulnerability in Oracle Solaris ( CVE-2020-14871 ). The vulnerability is present in the Pluggable Authentication Module (PAM) and allows to bypass authentication procedures. With its help, UNC1945 hackers installed the SLAPSTICK backdoor on vulnerable Solaris servers connected to the Internet. The backdoor served as an entry point for intelligence operations inside corporate networks and lateral movement to other systems.
To bypass detection, cybercriminals downloaded and installed a QEMU virtual machine running Tiny Core Linux. This customized Linux VM comes by default with a range of hacking tools, including network scanners, password collectors and exploits used by UNC1945 to scan corporate networks for vulnerabilities and lateral movement to other computers, regardless of whether they work under Windows or * NIX systems.
In its attacks, the group uses both legitimate information security and open source penetration testing tools (Mimikatz, Powersploit, Responder, Procdump, CrackMapExec, PoshC2, Medusa, and JBoss Vulnerability Scanner), as well as customized malware. Among the "author's" malware, researchers note EVILSUN, LEMONSTICK, LOGBLEACH, OKSOLO, OPENSHACKLE, ProxyChains, PUPYRAT, STEELCORGI, SLAPSTICK and TINYSHELL.
According to the researchers, UNC1945 acquired the EVILSUN tool to exploit a zero-day vulnerability in Oracle Solaris and then install the SLAPSTICK backdoor on a cybercrime forum. Back in April of this year, experts discovered a website advertising "Oracle Solaris SSHD Remote Root Exploit" for $ 3,000.
Mandiant notified Oracle of the vulnerability earlier this year, and the company released a patch for it in October.