Type
|
Advisory |
Threat Actor
|
UNC1945 |
Vulnerability
|
CVE-2020-14871 |
Hacker group tracked as UNC1945 reportedly utilizes critical zero-day vulnerability CVE-2020-14871 in Oracle Solaris operating systems to compromise corporate networks.
CVE-2020-14871
A severe flaw in the Solaris Pluggable Authentication Module [PAM] of versions Solaris 10 and Solaris 11, that grants attackers unrestricted access to Solaris systems. This allows the actors to bypass authentication mechanisms resulting in the take over of Oracle Solaris. This flaw ranks as a critical vulnerability with a CVSS score of 10.[/vc_wp_text][vc_wp_text]
Tactics, Techniques, and Procedures of UNC1945
Initial Access
- T1133 External Remote Services
- T1190 Exploit Public-Facing Application
Execution
- T1059 Command and Scripting Interpreter
- T1059.001 PowerShell
- T1064 Scripting
Persistence
- T1133 External Remote Services
Lateral Movement
- T1021.001 Remote Desktop Protocol
- T1021.004 SSH
Defense Evasion
- T1027 Obfuscated Files or Information
- T1070.004 File Deletion
- T1070.006 Timestamp
- T1064 Scripting
- T1553.002 Code Signing
Discovery
- T1046 Network Service Scanning
- T1082 System Information Discovery
- T1518.001 Security Software Discovery
Command and Control
- T1071 Application Layer Protocol
- T1090 Proxy
- T1105 Ingress Tool Transfer
- T1132.001 Standard Encoding
[/vc_wp_text][vc_wp_text]
Indicators of Compromise
Detections
FE_APT_Trojan_Linux_STEELCORGI_1
FE_APT_Trojan_Linux_STEELCORGI_2
FE_HackTool_Linux64_EVILSUN_1
FE_HackTool_Linux_EVILSUN_1
HackTool.Linux.EVILSUN.MVX
HXIOC UUID: e489ce60-f315-4d1a-a888-77782f687eec
EVILSUN (FAMILY) 90005075FE_Trojan_Linux_LEMONSTICK_1
FE_APT_Tool_Win32_OPENSHACKLE_1
FE_APT_Tool_Win_OPENSHACKLE_1
HXIOC UUID: 4a56fb0c-6134-4450-ad91-0f622a92701c
OPENSHACKLE (UTILITY) 90005006
FE_APT_Backdoor_Linux64_SLAPSTICK_1
FE_APT_Backdoor_Linux_SLAPSTICK_1
FE_Backdoor_Win_PUPYRAT_1
FE_APT_Pupy_RAT
FE_Ransomware_Win64_ROLLCOAST_1
FE_Ransomware_Win_ROLLCOAST_1
HXIOC, 45632ca0-a20b-487f-841c-c74ca042e75a; ROLLCOAST RANSOMWARE (FAMILY)
Ransomware.Win.ROLLCOAST.MVX
Hashes
2eff2273d423a7ae6c68e3ddd96604bc
0845835e18a3ed4057498250d30a11b1
6983f7001de10f4d19fc2d794c3eb534
91baa34fc5e7e44b470cfd131c1f4503
d505533ae75f89f98554765aaf2a330a
abaf1d04982449e0f7ee8a34577fe8af
IP Addresses
46.30.189.0/24
1.239.171.0/32
66.172.12.0/24[/vc_wp_text][vc_wp_text]
Impact of CVE-2020-14871
Technical Impact
- CVE-2020-14871 lets attackers gain an initial foothold in the corporate network.
- Attackers can further the attack deeper into the network using port forwarding and other pivoting techniques.
- Compromise leads to the sensitive corporate data exfiltration.
- Ransomware actors can target unpatched organisation’s networks to carry out their campaigns.
Business Impact
- Loss of branding and goodwill
- Compliance penalty and client compensation
- Lose trust of clients and eventually their business
[/vc_wp_text][vc_wp_text]
Mitigations
- Employee training and awareness to maintain cyber hygiene
- Proper patch management
- Backup systems regularly
- Deploy IDPS on hosts and networks
