A new zero-day vulnerability (CVE-2020-14871) in Oracle Solaris has been brought to light by the FireEye security research team, Mandiant. Moreover, the vulnerability has been reported as being actively exploited. A Vulnerability Management System can resolve these issues. Hence, the sophisticated threat actor, UNC1945, has been known to use the zero-day bug to break into corporate networks.
The vulnerability, tracked as CVE-2020-14871, affects the Pluggable Authentication Module (PAM) component of the Solaris Operating Systems. However, the hacker group leveraged this bug and installed a backdoor called SLAPSTICK. This backdoor enables the collection of credentials and connection details that assist further compromise. Another key tool used by UNC1945 is an “Oracle Solaris SSHD Remote Root Exploit” that goes by the name EVILSUN. This tool was a zero-day exploit and was purportedly available on a black-market website. The hacker group also used a backdoor called LEMONSTICK that facilitates command execution, the establishment of tunnel connections, and file operations. Vulnerability management tools can prevent these attacks.
The threat actor reportedly deployed SLAPSTICK and LEMONSTICK on a Solaris 9 Server to gain elevated privileges and persistence. They then used SSH Port Forwarding in order to reach the internal networks via the Internet.
UNC1945:
UNC1945 set up custom QEMU Virtual Machines on several hosts, starting with a ‘start. sh’ script. The script consisted of TCP forwarding settings and SSH tunnels to give direct access to UNC1945 and obscure this from the target network. Each VM observed to be running a ‘Tiny Core Linux OS’ that comes with pre-loaded tools. The tools consisted of the likes of Mimikatz, Powersploit, Responder, Procdump, CrackMapExec, PoshC2, Medusa, JBoss Vulnerability Scanner, etc.
UNC1945 used utilities like LOGBLEACH and STEELCORGI to clean the logs and hinder investigations.
Using tools like Mimikatz and the credentials captured through SLAPSTICK, the hacker group could traverse and gain access to various target network sections. HP-UX and Linux systems compromised with brute force over SSH. Backdoors like TINYSHELL and OKSOLO employed on the systems after privilege escalation. On Windows environments, UNC1945 used IMPACKET with SMBEXEC to remote execution of commands. In some breaches, UNC1945 uses a SPARC executable a reconnaissance tool, which referred to as Luckscan or BlueKeep. BlueKeep is a security bug in Microsoft’s RDP and could result in remote code execution.
Impact of CVE-2020-14871
The vulnerability could lead to remote exploitation without authentication and could result in the takeover of corporate networks.
Affected Solaris Versions
Solaris 10
Solaris 11
Solution for CVE-2020-14871
Oracle has issued a patch to CVE-2020-14871 in its latest advisory. Mandiant urges the customers affected by this vulnerability to update their operating systems with the latest patch.