A report published this week by FireEye describes how a relatively new hacking group utilized an Oracle Solaris zero-day vulnerability. This new group, which FireEye has named UNC1945, have been targeting corporate networks around the world since 2018.
UNC1945 is a relatively new hacking group to appear in the threat landscape. It has been operating since at least 2018 and has been targeting mainly telecommunication, financial and consulting firms.
However, the hacking group’s motivations are as yet unknown. As explained in the report published by FireEye earlier this week, the researchers “did not observe evidence of data exfiltration and was unable to determine UNC1945’s mission for most of the intrusions we investigated.” Consequently, the researchers suspect that the group breach organizations’ networks to sell the access to other hacking groups to exploit. “At this time, it is likely that access to the victim environment was sold to another group,” state the researchers.
The report goes on to describe the UNC1945 group as an advanced hacking group with strong technical capabilities. It explains that the group is a “sophisticated, persistent actor comfortable exploiting various operating systems, and [has] access to resources and numerous toolsets.” Furthermore, the researchers expect UNC1945 “to continue targeted operations against key industries while taking advantage of operating systems that likely have inadequate security visibility.”
Solaris Zero-Day Vulnerability
Solaris is a proprietary Unix operating system originally developed by Sun Microsystems. When Sun Microsystems was bought by Oracle in 2010, Solaris was renamed Oracle Solaris.
UNC1945 has used the never-before-seen zero-day vulnerability in the Oracle Solaris operating system to breach corporate networks around the world. The vulnerability has allowed the group to bypass authentication and install backdoors on internet exposed Solaris servers.
According to the National Vulnerability database, the vulnerability is easily exploited and affects versions 10 and 11 of Solaris. It is being tracked as CVE-2020-14871 and exists in the Solaris Pluggable Authentication Module (PAM).
The FireEye report states that the group used backdoors “to capture connection details and credentials to facilitate further compromise.” The backdoors were also used as entry points to launch reconnaissance operations within corporate networks and to move laterally to other systems. Furthermore, to avoid detection the group used various anti-detection tools. As well as anti-forensic techniques such as cleaning logs, for example, to impede forensic analysis by security researchers.
FireEye researchers speculate in the report that UNC1945 actually bought the code to exploit the vulnerability. They reached this conclusion when they discovered an “Oracle Solaris SSHD Remote Root Exploit” being offered on the dark web for approximately $3,000 in April 2020. The report notes that this exploit “may be identifiable with EvilSun.”
The Solaris zero-day vulnerability has since been patched by Oracle in the October 2020 security patches. Thus, experts recommend that organizations running affected versions of Solaris update their operating systems with this latest security patch.
Furthermore, as zero-day attacks are hard to detect, experts recommend using an anti-malware solution that includes behavioral detection. It can take months or even years before zero-day exploits are detected.