All Threat Intelligence posts

UNC1945 Hacker Group Threat Intel Advisory

November 7, 2020
4
min read
Type
 Advisory
Threat Actor
 UNC1945
Vulnerability
 CVE-2020-14871

 

Hacker group tracked as UNC1945 reportedly utilizes critical zero-day vulnerability CVE-2020-14871 in Oracle Solaris operating systems to compromise corporate networks.

CVE-2020-14871

A severe flaw in the Solaris Pluggable Authentication Module of versions Solaris 10 and Solaris 11, that grants attackers unrestricted access to Solaris systems. This allows the actors to bypass authentication mechanisms resulting in the take over of Oracle Solaris. This flaw ranks as a critical vulnerability with a CVSS score of 10.[/vc_wp_text][vc_wp_text]

Tactics, Techniques, and Procedures of UNC1945

Initial Access
  • T1133 External Remote Services
  • T1190 Exploit Public-Facing Application
Execution
  • T1059 Command and Scripting Interpreter
  • T1059.001 PowerShell
  • T1064 Scripting
Persistence
  • T1133 External Remote Services
Lateral Movement
  • T1021.001 Remote Desktop Protocol
  • T1021.004 SSH
Defense Evasion
  • T1027 Obfuscated Files or Information
  • T1070.004 File Deletion
  • T1070.006 Timestamp
  • T1064 Scripting
  • T1553.002 Code Signing
Discovery
  • T1046 Network Service Scanning
  • T1082 System Information Discovery
  • T1518.001 Security Software Discovery
Command and Control
  • T1071 Application Layer Protocol
  • T1090 Proxy
  • T1105 Ingress Tool Transfer
  • T1132.001 Standard Encoding

[/vc_wp_text][vc_wp_text]

Indicators of Compromise

Detections

FE_APT_Trojan_Linux_STEELCORGI_1

FE_APT_Trojan_Linux_STEELCORGI_2

FE_HackTool_Linux64_EVILSUN_1

FE_HackTool_Linux_EVILSUN_1

HackTool.Linux.EVILSUN.MVX

HXIOC UUID: e489ce60-f315-4d1a-a888-77782f687eec

EVILSUN (FAMILY) 90005075FE_Trojan_Linux_LEMONSTICK_1

FE_APT_Tool_Win32_OPENSHACKLE_1

FE_APT_Tool_Win_OPENSHACKLE_1

HXIOC UUID: 4a56fb0c-6134-4450-ad91-0f622a92701c

OPENSHACKLE (UTILITY) 90005006

FE_APT_Backdoor_Linux64_SLAPSTICK_1

FE_APT_Backdoor_Linux_SLAPSTICK_1

FE_Backdoor_Win_PUPYRAT_1

FE_APT_Pupy_RAT

FE_Ransomware_Win64_ROLLCOAST_1

FE_Ransomware_Win_ROLLCOAST_1

HXIOC, 45632ca0-a20b-487f-841c-c74ca042e75a; ROLLCOAST RANSOMWARE (FAMILY)

Ransomware.Win.ROLLCOAST.MVX

Hashes

2eff2273d423a7ae6c68e3ddd96604bc

0845835e18a3ed4057498250d30a11b1

6983f7001de10f4d19fc2d794c3eb534

91baa34fc5e7e44b470cfd131c1f4503

d505533ae75f89f98554765aaf2a330a

abaf1d04982449e0f7ee8a34577fe8af

IP Addresses

46.30.189.0/24

1.239.171.0/32

66.172.12.0/24[/vc_wp_text][vc_wp_text]

Impact of CVE-2020-14871

Technical Impact
  • CVE-2020-14871 lets attackers gain an initial foothold in the corporate network.
  • Attackers can further the attack deeper into the network using port forwarding and other pivoting techniques.
  • Compromise leads to the sensitive corporate data exfiltration.
  • Ransomware actors can target unpatched organisation’s networks to carry out their campaigns.  
Business Impact
  • Loss of branding and goodwill
  • Compliance penalty and client compensation
  • Lose trust of clients and eventually their business

[/vc_wp_text][vc_wp_text]

Mitigations

  • Employee training and awareness to maintain cyber hygiene
  • Proper patch management 
  • Backup systems regularly
  • Deploy IDPS on hosts and networks
Tags:
No items found.