Mandiant, the investigations unit of security firm FireEye, has published details today about a new threat actor it calls UNC1945 that the security firm says it used a zero-day vulnerability in the Oracle Solaris operating system as part of its intrusions into corporate networks.
Regular targets of UNC1945 attacks included the likes of telecommunications, financial, and consulting companies, the Mandiant team said in a report published today.
Old group, new zero-day
While UNC1945 activity went as far back as 2018, Mandiant said the group caught their eye earlier this year after the threat actor utilized a never-before-seen vulnerability in the Oracle Solaris operating system.
Tracked as CVE-2020-14871, the zero-day was a vulnerability in the Solaris Pluggable Authentication Module (PAM) that allowed UNC1945 to bypass authentication procedures and install a backdoor named SLAPSTICK on internet-exposed Solaris servers.
Mandiant said the hackers then used this backdoor as an entry point to launch reconnaissance operations inside corporate networks and move laterally to other systems.
To avoid detection, Mandiant said the group downloaded and installed a QEMU virtual machine running a version of the Tiny Core Linux OS.
This custom-made Linux VM came pre-installed with several hacking tools like network scanners, password dumpers, exploits, and reconnaissance toolkits that allowed UNC1945 to scan a company’s internal network for weaknesses and move laterally to multiple systems, regardless if they ran Windows or *NIX-based systems.
Mandiant said it observed the group using an assortment of open-source penetration testing and security tools, but also custom malware strains.
The open-source toolkits included the likes of Mimikatz, Powersploit, Responder, Procdump, CrackMapExec, PoshC2, Medusa, and the JBoss Vulnerability Scanner, all well-known in the cyber-security industry.
But UNC1945 also showed the ability to create and operate custom malware, with Mandiant linking UNC1945 intrusions to (new and old) malware strains like:
- EVILSUN – a remote exploitation tool that gains access to Solaris 10 and 11 systems of SPARC or i386 architecture using a vulnerability (CVE-2020-14871) exposed by SSH keyboard-interactive authentication. The remote exploitation tool makes SSH connections to hosts passed on the command line. The default port is the normal SSH port (22), but this may be overridden. EVILSUN passes the banner string SSH-2.0-Sun_SSH_1.1.3 over the connection in clear text as part of handshaking.
- LEMONSTICK – a Linux executable command line utility with backdoor capabilities. The backdoor can execute files, transfer files, and tunnel connections. LEMONSTICK can be started in two different ways: passing the `-c` command line argument (with an optional file) and setting the ‘OCB’ environment variable. When started with the `-c` command line argument, LEMONSTICK spawns an interactive shell. When started in OCB mode, LEMONSTICK expects to read from STDIN. The STDIN data is expected to be encrypted with the blowfish algorithm. After decrypting, it dispatches commands based on the name—for example: ‘executes terminal command’, ‘connect to remote system’, ‘send & retrieve file’, ‘create socket connection’.
- LOGBLEACH – an ELF utility that has a primary functionality of deleting log entries from a specified log file(s) based on a filter provided via command line.
- OKSOLO – a publicly available backdoor that binds a shell to a specified port. It can be compiled to support password authentication or dropped into a root shell.
- OPENSHACKLE – a reconnaissance tool that collects information about logged-on users and saves it to a file. OPENSHACKLE registers Windows Event Manager callback to achieve persistence.
- ProxyChains – allows the use of SSH, TELNET, VNC, FTP and any other internet application from behind HTTP (HTTPS) and SOCKS (4/5) proxy servers. This “proxifier” provides proxy server support to any application.
- PUPYRAT (aka Pupy) – an open source, multi-platform (Windows, Linux, OSX, Android), multi-function RAT (Remote Administration Tool) and post-exploitation tool mainly written in Python. It features an all-in-memory execution guideline and leaves very low footprint. It can communicate using various transports, migrate into processes (reflective injection), and load remote Python code, Python packages and Python C-extensions from memory.
- STEELCORGI – a packer for Linux ELF programs that uses key material from the executing environment to decrypt the payload. When first starting up, the malware expects to find up to four environment variables that contain numeric values. The malware uses the environment variable values as a key to decrypt additional data to be executed.
- SLAPSTICK – a Solaris PAM backdoor that grants a user access to the system with a secret, hard-coded password.
- TINYSHELL – a lightweight client/server clone of the standard remote shell tools (rlogin, telnet, ssh, etc.), which can act as a backdoor and provide remote shell execution as well as file transfers.
Zero-day bought off the black market?
Mandiant said it believes that UNC1945 bought EVILSUN (the tool that allowed them to exploit the Solaris zero-day and plant the SLAPSTICK backdoor) from a public hacking forum.
The company said it identified an ad in April 2020 on a black-market website that promoted an “Oracle Solaris SSHD Remote Root Exploit” for $3,000.
Mandiant said it reported the Solaris zero-day to Oracle earlier this year, after discovering traces of exploitation during an investigation.
The zero-day (CVE-2020-14871) was patched last month in Oracle’s October 2020 security patches.
Mandiant said that while UNC1945 has been active for several years, it spotted the Solaris zero-day in one confirmed breach; however, this doesn’t mean the zero-day wasn’t exploited against other corporate networks.
The security firm said it “did not observe evidence of data exfiltration and was unable to determine UNC1945’s mission for most of the intrusions [they] investigated.”
In one UNC1945 intrusion, ransomware was deployed as a final payload, but Mandiant couldn’t link the ransomware attack to UNC1945 directly, and “is likely that access to the victim environment was sold to another group.”
Indicators of compromise and other technical details describing UNC1945 operations and intrusion patterns are available for defenders in the Mandiant report here.