UNC1945 Hacker Group Threat Intel Advisory

Summary

CloudSEK Threat Intelligence Advisory on UNC1945, hacker group that utilizes critical flaw CVE-2020-14871 to compromise corporate networks
Type
Advisory
Threat Actor
UNC1945
Vulnerability
CVE-2020-14871
  Hacker group tracked as UNC1945 reportedly utilizes critical zero-day vulnerability CVE-2020-14871 in Oracle Solaris operating systems to compromise corporate networks.

CVE-2020-14871

A severe flaw in the Solaris Pluggable Authentication Module of versions Solaris 10 and Solaris 11, that grants attackers unrestricted access to Solaris systems. This allows the actors to bypass authentication mechanisms resulting in the take over of Oracle Solaris. This flaw ranks as a critical vulnerability with a CVSS score of 10.[/vc_wp_text][vc_wp_text]

Tactics, Techniques, and Procedures of UNC1945

Initial Access
  • T1133 External Remote Services
  • T1190 Exploit Public-Facing Application
Execution
  • T1059 Command and Scripting Interpreter
  • T1059.001 PowerShell
  • T1064 Scripting
Persistence
  • T1133 External Remote Services
Lateral Movement
  • T1021.001 Remote Desktop Protocol
  • T1021.004 SSH
Defense Evasion
  • T1027 Obfuscated Files or Information
  • T1070.004 File Deletion
  • T1070.006 Timestamp
  • T1064 Scripting
  • T1553.002 Code Signing
Discovery
  • T1046 Network Service Scanning
  • T1082 System Information Discovery
  • T1518.001 Security Software Discovery
Command and Control
  • T1071 Application Layer Protocol
  • T1090 Proxy
  • T1105 Ingress Tool Transfer
  • T1132.001 Standard Encoding
[/vc_wp_text][vc_wp_text]

Indicators of Compromise

Detections
FE_APT_Trojan_Linux_STEELCORGI_1 FE_APT_Trojan_Linux_STEELCORGI_2 FE_HackTool_Linux64_EVILSUN_1 FE_HackTool_Linux_EVILSUN_1 HackTool.Linux.EVILSUN.MVX HXIOC UUID: e489ce60-f315-4d1a-a888-77782f687eec EVILSUN (FAMILY) 90005075FE_Trojan_Linux_LEMONSTICK_1 FE_APT_Tool_Win32_OPENSHACKLE_1 FE_APT_Tool_Win_OPENSHACKLE_1 HXIOC UUID: 4a56fb0c-6134-4450-ad91-0f622a92701c OPENSHACKLE (UTILITY) 90005006 FE_APT_Backdoor_Linux64_SLAPSTICK_1 FE_APT_Backdoor_Linux_SLAPSTICK_1 FE_Backdoor_Win_PUPYRAT_1 FE_APT_Pupy_RAT FE_Ransomware_Win64_ROLLCOAST_1 FE_Ransomware_Win_ROLLCOAST_1 HXIOC, 45632ca0-a20b-487f-841c-c74ca042e75a; ROLLCOAST RANSOMWARE (FAMILY) Ransomware.Win.ROLLCOAST.MVX
Hashes
2eff2273d423a7ae6c68e3ddd96604bc 0845835e18a3ed4057498250d30a11b1 6983f7001de10f4d19fc2d794c3eb534 91baa34fc5e7e44b470cfd131c1f4503 d505533ae75f89f98554765aaf2a330a abaf1d04982449e0f7ee8a34577fe8af
IP Addresses
46.30.189.0/24 1.239.171.0/32 66.172.12.0/24[/vc_wp_text][vc_wp_text]

Impact of CVE-2020-14871

Technical Impact
  • CVE-2020-14871 lets attackers gain an initial foothold in the corporate network.
  • Attackers can further the attack deeper into the network using port forwarding and other pivoting techniques.
  • Compromise leads to the sensitive corporate data exfiltration.
  • Ransomware actors can target unpatched organisation’s networks to carry out their campaigns.  
Business Impact
  • Loss of branding and goodwill
  • Compliance penalty and client compensation
  • Lose trust of clients and eventually their business
[/vc_wp_text][vc_wp_text]

Mitigations

  • Employee training and awareness to maintain cyber hygiene
  • Proper patch management 
  • Backup systems regularly
  • Deploy IDPS on hosts and networks

Table of Contents

Request an easy and customized demo for free