In a new report published by Mandiant, the research wing of security firm FireEye, details of a hacking group utilizing a zero-day flaw found in Oracle’s Solaris operating system have been released to the public. The threat actor codenamed UNC1945, who made use of the flaw has been seen targeting telecommunications, financial, and consultancy companies. According to Mandiant, the group has been active since 2018, however, the use of the zero-day drew the attention of researchers.
The zero-day vulnerability has been tracked as CVE-2020-14871 and is described as a flaw affecting the pluggable authentication module and is seen as easily exploitable. The flaw allows an unauthenticated attacker with network access to compromise Oracle Solaris and successfully allow account takeover. Receiving a score of 10 from NVD, the flaw is deemed to be serious enough to receive a critical classification. Oracle has patched the flaw, and admins are advised to update the software so as to patch the flaw as a matter of urgency. The hacker group in this instance used the flaw to bypass authentication procedures and install a backdoor into the victim’s network. The backdoor was then used as a method to carry out reconnaissance on the targeted network as well as spread laterally to other vulnerable machines.
UNC1945 showed a high level of experience and patience regarding its operations. The first time the victim’s network was comprised occurred in 2018 but activity seemingly dropped off the map. The threat actor again emerged in the middle of 2020, meaning that the attackers effectively had a dwell time of over 500 days. The initial compromise appeared to be a result of an SSH service been directly exposed to the internet. Researchers discovered in mid-2020 that the threat actors had deployed a remote execution tool, called EVILSUN, that contained a module to exploit the above mentioned zero-day flaw. In an attempt to avoid detection the group downloaded and installed a QEMU virtual machine running a version of the Tiny Core Linux OS.
This custom-made Linux VM came pre-installed with several hacking tools like network scanners, password dumpers, exploits, and reconnaissance toolkits that allowed UNC1945 to scan a company's internal network for weaknesses then move laterally to multiple systems. The toolbox used by the threat actor allowed this to be done on either Windows or Unix-like systems. The group's experience and skill were on display through their use of their toolbox, which included several open-source tools as well as custom malware strains. The open-source tools included Mimikatz, Powersploit, Responder, Procdump, CrackMapExec, PoshC2, Medusa, and the JBoss Vulnerability Scanner. The last being a well-known tool used by many in the cybersecurity industry.
As mentioned above several custom malware strains were seen being used by researchers that link UNC1945 to both the old and new campaigns. These strains include:
- EVILSUN - a remote exploitation tool that gains access to Solaris 10 and 11 systems of SPARC or i386 architecture using a vulnerability (CVE-2020-14871) exposed by SSH keyboard-interactive authentication. The remote exploitation tool makes SSH connections to hosts passed on the command line. The default port is the normal SSH port (22), but this may be overridden.
- LEMONSTICK - a Linux executable command-line utility with backdoor capabilities. The backdoor can execute files, transfer files, and tunnel connections. LEMONSTICK can be started in two different ways: passing the `-c` command line argument (with an optional file) and setting the 'OCB' environment variable. When started with the `-c` command line argument, LEMONSTICK spawns an interactive shell. When started in OCB mode, LEMONSTICK expects to read from STDIN. The STDIN data is expected to be encrypted with the blowfish algorithm. After decrypting, it dispatches commands based on specific names.
- LOGBLEACH - an ELF utility that has a primary functionality of deleting log entries from a specified log file(s) based on a filter provided via the command-line.
- OKSOLO - a publicly available backdoor that binds a shell to a specified port. It can be compiled to support password authentication or dropped into a root shell.
- OPENSHACKLE - a reconnaissance tool that collects information about logged-on users and saves it to a file. OPENSHACKLE registers Windows Event Manager callback to achieve persistence. ProxyChains - allows the use of SSH, TELNET, VNC, FTP, and any other internet application from behind HTTP (HTTPS) and SOCKS (4/5) proxy servers. This "proxifier" provides proxy server support to any application.
- PUPYRAT (aka Pupy) - an open-source, multi-platform (Windows, Linux, OSX, Android), multi-function RAT (Remote Administration Tool), and post-exploitation tool mainly written in Python. It features an all-in-memory execution guideline and leaves a small footprint, making it harder to detect. It can communicate using various transports, migrate into processes (reflective injection), and load remote Python code, Python packages, and Python C-extensions from memory.
- STEELCORGI - a packer for Linux ELF programs that uses key material from the executing environment to decrypt the payload. When first starting up, the malware expects to find up to four environment variables that contain numeric values. The malware uses the environment variable values as a key to decrypt additional data to be executed.
- SLAPSTICK - a Solaris PAM backdoor that grants a user access to the system with a secret, hard-coded password.
- TINYSHELL - a lightweight client/server clone of the standard remote shell tools (rlogin, telnet, ssh, etc.), which can act as a backdoor and provide remote shell execution. Further, the clone also allows for file transfers.
Mandiant and the Zero-Day
After details of the threat actor emerged, Mandiant also published details regarding the zero-day itself that was exploited so that EVILSUN could be installed on a victims machine or network. To understand how UNC1945, researchers developed proof-of-concept code engineered to target the flaw. This allowed researchers to successfully compromise Solaris systems that were done by deliberately crashing the SSH server.
Further, this was done by sending a username longer than PAM_MAX_RESP_SIZE (which is 512 bytes) and passed into the function. The SSH server returns an “Authentication failed'' message as an error. On a patched system, the user would then be repeatedly prompted to enter the correct username of a correct length. However, in an unpatched system, this action would bypass the authentication steps granting an attacker access to the system.
Commenting on the Zero-day, Mandiant researchers noted,
“The vulnerability has likely existed for decades, and one possible reason is that it is only exploitable if an application does not already limit usernames to a smaller length before passing them to PAM. One situation where network-facing software does not always limit the username length arises in the SSH server, and this is the exploit vector used by the [EVILSUN] tool that we discovered. By manipulating SSH client settings to force Keyboard-Interactive authentication to prompt for the username rather than sending it through normal means, an attacker can also pass unlimited input to the PAM parse_user_name function,”
The patch released by Oracle in October is an effective remedy to the problem and should be installed if not done so already. As to whether UN1945 discovered the flaw, evidence suggests this is not the case. Mandiant researchers discovered an ad on an underground hacking forum selling an “Oracle Solaris SSHD Remote Root Exploit” for 3,000 USD. It is more likely that the threat actor bought information and proof-of-concept code from another hacker, rather than looking to discover the bug themselves. The selling of zero-days has been a popular method of making illicit money on hacker forums for years. The popularity of this sub-sector only seemed to boom with more and more individuals using smart mobile devices. The industry can be compared to the bug-bounty programs offered by many tech companies that payout for people who discover flaws within software and hardware.
These flaws are then disclosed to the manufacturer or software provider so that they may be patched before becoming public knowledge. For those selling zero-day flaws on hacker forums, the inverse is true. The flaws are often sold to the highest bidder, often well known advanced persistent threat groups, rather than disclosing the flaw to the affected party. Zero-days continue to be a major threat to the digital safety and security of individuals as remediation is not always immediately possible and, in many cases, preventative measures do not always work. This gives hackers an easier time compromising networks as they do not have to navigate as many security measures and access is granted without too much effort.