A new zero-day vulnerability in Oracle Solaris has been brought to light by the FireEye security research team, Mandiant. The vulnerability has been reported as being actively exploited. The sophisticated threat actor, known as UNC1945, has been known to be using the zero-day bug to break into corporate networks.
The vulnerability, tracked as CVE-2020-14871, affects the Pluggable Authentication Module (PAM) component of the Solaris Operating Systems. The hacker group leveraged this bug and installed a backdoor known as SLAPSTICK. This backdoor enables the collection of credentials as well as connection details that assist further compromise. Another key tool used by UNC1945 is an “Oracle Solaris SSHD Remote Root Exploit” that goes by the name EVILSUN. This tool consisted of the zero-day exploit and was purportedly available on a black-market website. The hacker group also used a backdoor called LEMONSTICK that facilitates command execution, the establishment of tunnel connections, and file operations.
The threat actor reportedly deployed SLAPSTICK and LEMONSTICK on a Solaris 9 Server to gain elevated privileges and persistence. They then used SSH Port Forwarding in order to reach the internal networks via the internet.
UNC1945 set up custom QEMU Virtual Machines on several hosts that could be started with a ‘start.sh’ script. The script consisted of TCP forwarding settings that were used along with SSH tunnels to give direct access to UNC1945 and obscure this from the target network. Each VM was observed to be running a ‘Tiny Core Linux OS’ that comes with pre-loaded tools. The tools consisted of the likes of Mimikatz, Powersploit, Responder, Procdump, CrackMapExec, PoshC2, Medusa, JBoss Vulnerability Scanner, etc.
UNC1945 used utilities like LOGBLEACH and STEELCORGI to clean the logs and hinder investigations.
Using tools like Mimikatz and the credentials captured through SLAPSTICK, the hacker group could traverse and gain access to various target network sections. HP-UX and Linux systems were compromised with brute-force over SSH. Backdoors like TINYSHELL and OKSOLO were then employed on the systems after privilege escalation. On Windows environments, UNC1945 made use of IMPACKET with SMBEXEC to remote execution of commands. In some breaches, UNC1945 used a SPARC executable known as a reconnaissance tool, which could be referred to as Luckscan or BlueKeep. BlueKeep is a security bug in Microsoft’s RDP and could result in remote code execution.
The vulnerability could lead to remote exploitation without authentication and could result in the takeover of corporate networks.
Affected Solaris Versions
Oracle has issued a patch to CVE-2020-14871 in its latest advisory. Mandiant urges the customers affected by this vulnerability to update their operating systems with the latest patch.