The Oracle-owned operating system is predominantly used by big companies in complex enterprise setups. However, this zero-day bug has allowed the criminals to intrude into internal networks. All available information is tracked in the CVE-2020-14871 advisory and monitored by the security community.
UNC1945 Hacking Group Goes against Solaris Systems With Zero-Day Bug Tracked in CVE-2020-14871
The Solaris operating system is an enterprise service that is mostly deployed in complex business networks. It is based on a traditional UNIX-like structure and as such can be used for various purposes: performing complex calculations, managing network settings, or serving data.
The hacking group known as UNC1945 has been found to leverage different types of attacks against Solaris servers that are behind corporate networks. At this moment not much is known about the hackers, except for the fact that they have managed to utilize a previously-unknown vulnerability, referred to as a zero-day bug. The security report indicating this dangerous breach comes from the Mandiant research team. Attacks against similar environments are on the rise. Recently we reported that hacking groups have targeted Synology devices. Their operating system is a derivative of a Linux distribution.
The point of intrusion is a bypass of the authentication procedure used by the operating system, the fault was detected by the criminals and has allowed them to install a backdoor module called SLAPSTICK into the systems. It is automatically activated after the infection has started, and it will execute actions of its own. The targeted computers were those that are exposed to the wider Internet.
However, instead of continuing on with the intrusion like most other threats of this category, the hackers have instructed the malware to continue in a different and much more damaging way.
UNC1945 Hackers Use Complicated Infection Technique Against the Solaris Hosts
Instead of continuing on with the infections by leveraging the SLAPSTICK backdoor in creating a persistent connection to the hacker-controlled server, the hackers have chosen to go for another route. The hacking groups appear to target high-profile targets, as they have created a very complex security bypass procedure that is designed to overcome the protective measures taken by the system and user-installed programs: anti-malware scans, firewalls, and intrusion detection systems. To avoid detection, the malicious sequence will download and install a QEMU virtual machine host. Inside it, a hacker-created image of a Linux distribution will be run.
This virtual machine will be accessible by the criminals and since it is preconfigured by them, it will allow them to run all contained within utilities. The analysis discovered that they are full of network scanners, password cracking programs, and other exploits. The virtual machine will be exposed to the host system and allow the hackers to execute commands against it, as well as other computers that are available on the internal network. The dangerous factor is that the attacks can be against all kinds of operating systems, including Microsoft Windows and other UNIX-based systems.
Possible consequences of the intrusion include the following malicious actions:
- Logs Deletion — A special malware program is used to delete the logs of the virus actions.
- Lateral Brute Force — From the installed virtual machine the hackers can continue on further “cracking” other computers on the internal network using the deployed tools.
- Files Access — All accessible data by the malware can be stolen by the hackers.
- Control — The hackers can take over control of the hosts and directly spy on the users.
At this moment it is believed that UNC1945 hackers have bought the exploit from a hacker underground marketplace seller. The tool that the hackers used (EVILSUN) is probably acquired from these places, it allowed the criminals to execute the exploit and plant the backdoor.
Of course, following news of this malware activity, Oracle patched the issue in the October 2020 security updates bulletin. At the moment there is no information about the number of infected hosts. All Solaris administrators are urged to apply the latest updates to block the hackers from attempting the exploits on their systems.