Sophisticated Threat Actor Exploited Oracle Solaris Zero-Day

A threat actor has been observed targeting Oracle Solaris operating systems for over two years, including with an exploit for a recently addressed zero-day vulnerability, FireEye reported on Monday.

Tracked as UNC1945 — UNC is assigned by FireEye to uncategorized groups — the threat actor was observed compromising telecommunications companies and leveraging third-party networks to target specific financial and professional consulting industries.

Throughout the observed activity, the group used various tools to compromise Windows, Linux, and Solaris operating systems and used custom virtual machines, all while focusing on evading detection.

“UNC1945 demonstrated access to exploits, tools and malware for multiple operating systems, a disciplined interest in covering or manipulating their activity, and displayed advanced technical abilities during interactive operations,” FireEye’s Mandiant security researchers reveal.

In late 2018, the threat actor was observed compromising a Solaris server that had the SSH service exposed to the Internet, to install the SLAPSTICK backdoor on it, in order to steal credentials. The adversary employed SSH to connect to the server.

In mid-2020, after a 519-day dwell time, a different Solaris server was observed connecting to the attacker’s infrastructure. The threat actor deployed a remote exploitation tool called EVILSUN to exploit a zero-day impacting a Solaris 9 server.

Tracked as CVE-2020-14871, the vulnerability was reported to Oracle, which addressed it as part of the October 2020 Critical Patch Update. The bug affected the Solaris Pluggable Authentication Module (PAM) and allowed an attacker with network access to compromise the operating system without authentication.

Madiant also discovered that, in April 2020, an ‘Oracle Solaris SSHD Remote Root Exploit’ was being offered on an underground marketplace for roughly $3,000, noting that this exploit “may be identifiable with EVILSUN.”

“Additionally, we confirmed a Solaris server exposed to the internet had critical vulnerabilities, which included the possibility of remote exploitation without authentication,” the researchers say.

Using the SLAPSTICK Solaris PAM backdoor, the threat actor maintained a foothold on the compromised Solaris 9 server. After placing the malware onto the compromised system, the adversary dropped a custom Linux backdoor called LEMONSTICK on the workstation, to facilitate command execution, connection tunneling, and file transfer and execution.

UNC1945 maintained access using an SSH Port Forwarding mechanism and dropped a custom QEMU VM on multiple hosts, using a ‘start.sh’ script to have it executed inside of any Linux system. The script contained TCP forwarding settings while the VM had preloaded tools such as Mimikatz, Powersploit, Responder, Procdump, CrackMapExec, PoshC2, Medusa, JBoss Vulnerability Scanner and more.

The adversary leveraged volatile memory to decrease operational visibility, manipulated timestamps and log files using built-in utilities and public tools, and employed anti-forensics techniques. Furthermore, the hackers collected credentials, escalated privileges, and moved laterally through the compromised environment.

The open-source remote access tool PUPYRAT was also employed. At one target, following initial compromise, the adversary deployed three different backdoors: SLAPSTICK, TINYSHELL, and OKSOLO. On a Windows environment, IMPACKET with SMBEXEC was used for remote command execution. A BlueKeep scanning tool was also used.

According to Mandiant, no data exfiltration appears to have happened, despite the multi-staged operation. In one case, however, the ROLLCOAST ransomware was deployed as the final stage of activity, but it’s unclear whether UNC1945 was responsible for this deployment or not, as access to the compromised environment might have been sold to a different actor.

“The ease and breadth of exploitation in which UNC1945 conducted this campaign suggests a sophisticated, persistent actor comfortable exploiting various operating systems, and access to resources and numerous toolsets. Given the aforementioned factors, use of zero-day exploits and virtual machines, and ability to traverse multiple third-party networks, Mandiant expects this motivated threat actor to continue targeted operations against key industries,” the researchers conclude.

Related: Oracle Issues Out-of-Band Update for Critical Vulnerability Exploited in Attacks

Related: Oracle’s October 2020 CPU Contains 402 New Security Patches

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:
Tags: