UNC1945 Hacker Group Threat Intel Advisory

CloudSEK Threat Intelligence Advisory on UNC1945, hacker group that utilizes critical flaw CVE-2020-14871 to compromise corporate networks

Updated on

February 27, 2023

Published on

November 6, 2020

Read time

Subscribe to the latest industry news, technologies and resources.

Type	Advisory
Threat Actor	UNC1945
Vulnerability	CVE-2020-14871

Hacker group tracked as UNC1945 reportedly utilizes critical zero-day vulnerability CVE-2020-14871 in Oracle Solaris operating systems to compromise corporate networks.

CVE-2020-14871

A severe flaw in the Solaris Pluggable Authentication Module [PAM] of versions Solaris 10 and Solaris 11, that grants attackers unrestricted access to Solaris systems. This allows the actors to bypass authentication mechanisms resulting in the take over of Oracle Solaris. This flaw ranks as a critical vulnerability with a CVSS score of 10.[/vc_wp_text][vc_wp_text]

Tactics, Techniques, and Procedures of UNC1945

Initial Access

T1133 External Remote Services
T1190 Exploit Public-Facing Application

Execution

T1059 Command and Scripting Interpreter
T1059.001 PowerShell
T1064 Scripting

Persistence

T1133 External Remote Services

Lateral Movement

T1021.001 Remote Desktop Protocol
T1021.004 SSH

Defense Evasion

T1027 Obfuscated Files or Information
T1070.004 File Deletion
T1070.006 Timestamp
T1064 Scripting
T1553.002 Code Signing

Discovery

T1046 Network Service Scanning
T1082 System Information Discovery
T1518.001 Security Software Discovery

Command and Control

T1071 Application Layer Protocol
T1090 Proxy
T1105 Ingress Tool Transfer
T1132.001 Standard Encoding

[/vc_wp_text][vc_wp_text]

Indicators of Compromise

Detections

FE_APT_Trojan_Linux_STEELCORGI_1 FE_APT_Trojan_Linux_STEELCORGI_2 FE_HackTool_Linux64_EVILSUN_1 FE_HackTool_Linux_EVILSUN_1 HackTool.Linux.EVILSUN.MVX HXIOC UUID: e489ce60-f315-4d1a-a888-77782f687eec EVILSUN (FAMILY) 90005075FE_Trojan_Linux_LEMONSTICK_1 FE_APT_Tool_Win32_OPENSHACKLE_1 FE_APT_Tool_Win_OPENSHACKLE_1 HXIOC UUID: 4a56fb0c-6134-4450-ad91-0f622a92701c OPENSHACKLE (UTILITY) 90005006 FE_APT_Backdoor_Linux64_SLAPSTICK_1 FE_APT_Backdoor_Linux_SLAPSTICK_1 FE_Backdoor_Win_PUPYRAT_1 FE_APT_Pupy_RAT FE_Ransomware_Win64_ROLLCOAST_1 FE_Ransomware_Win_ROLLCOAST_1 HXIOC, 45632ca0-a20b-487f-841c-c74ca042e75a; ROLLCOAST RANSOMWARE (FAMILY) Ransomware.Win.ROLLCOAST.MVX

Hashes

2eff2273d423a7ae6c68e3ddd96604bc 0845835e18a3ed4057498250d30a11b1 6983f7001de10f4d19fc2d794c3eb534 91baa34fc5e7e44b470cfd131c1f4503 d505533ae75f89f98554765aaf2a330a abaf1d04982449e0f7ee8a34577fe8af

IP Addresses

46.30.189.0/24 1.239.171.0/32 66.172.12.0/24[/vc_wp_text][vc_wp_text]

Impact of CVE-2020-14871

Technical Impact

CVE-2020-14871 lets attackers gain an initial foothold in the corporate network.
Attackers can further the attack deeper into the network using port forwarding and other pivoting techniques.
Compromise leads to the sensitive corporate data exfiltration.
Ransomware actors can target unpatched organisation’s networks to carry out their campaigns.

Business Impact

Loss of branding and goodwill
Compliance penalty and client compensation
Lose trust of clients and eventually their business

[/vc_wp_text][vc_wp_text]

Mitigations

Employee training and awareness to maintain cyber hygiene
Proper patch management
Backup systems regularly
Deploy IDPS on hosts and networks

Table of Contents

This is also a heading
This is a heading

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.

Real time Threat Intelligence Data

More information and context about Underground Chatter

On-Demand Research Services

Type

Threat Actor

Vulnerability