UNC1945 Hacker Group Threat Intel Advisory

Published on November 6th, 2020 | 18:30 IST

Share this Advisory:

Type
Advisory
Threat Actor
UNC1945
Vulnerability
CVE-2020-14871

 

Hacker group tracked as UNC1945 reportedly utilizes critical zero-day vulnerability CVE-2020-14871 in Oracle Solaris operating systems to compromise corporate networks.

CVE-2020-14871

A severe flaw in the Solaris Pluggable Authentication Module [PAM] of versions Solaris 10 and Solaris 11, that grants attackers unrestricted access to Solaris systems. This allows the actors to bypass authentication mechanisms resulting in the take over of Oracle Solaris. This flaw ranks as a critical vulnerability with a CVSS score of 10.

Tactics, Techniques, and Procedures of UNC1945

Initial Access
  • T1133 External Remote Services
  • T1190 Exploit Public-Facing Application
Execution
  • T1059 Command and Scripting Interpreter
  • T1059.001 PowerShell
  • T1064 Scripting
Persistence
  • T1133 External Remote Services
Lateral Movement
  • T1021.001 Remote Desktop Protocol
  • T1021.004 SSH
Defense Evasion
  • T1027 Obfuscated Files or Information
  • T1070.004 File Deletion
  • T1070.006 Timestamp
  • T1064 Scripting
  • T1553.002 Code Signing
Discovery
  • T1046 Network Service Scanning
  • T1082 System Information Discovery
  • T1518.001 Security Software Discovery
Command and Control
  • T1071 Application Layer Protocol
  • T1090 Proxy
  • T1105 Ingress Tool Transfer
  • T1132.001 Standard Encoding

Indicators of Compromise

Detections

FE_APT_Trojan_Linux_STEELCORGI_1

FE_APT_Trojan_Linux_STEELCORGI_2

FE_HackTool_Linux64_EVILSUN_1

FE_HackTool_Linux_EVILSUN_1

HackTool.Linux.EVILSUN.MVX

HXIOC UUID: e489ce60-f315-4d1a-a888-77782f687eec

EVILSUN (FAMILY) 90005075FE_Trojan_Linux_LEMONSTICK_1

FE_APT_Tool_Win32_OPENSHACKLE_1

FE_APT_Tool_Win_OPENSHACKLE_1

HXIOC UUID: 4a56fb0c-6134-4450-ad91-0f622a92701c

OPENSHACKLE (UTILITY) 90005006

FE_APT_Backdoor_Linux64_SLAPSTICK_1

FE_APT_Backdoor_Linux_SLAPSTICK_1

FE_Backdoor_Win_PUPYRAT_1

FE_APT_Pupy_RAT

FE_Ransomware_Win64_ROLLCOAST_1

FE_Ransomware_Win_ROLLCOAST_1

HXIOC, 45632ca0-a20b-487f-841c-c74ca042e75a; ROLLCOAST RANSOMWARE (FAMILY)

Ransomware.Win.ROLLCOAST.MVX

Hashes

2eff2273d423a7ae6c68e3ddd96604bc

0845835e18a3ed4057498250d30a11b1

6983f7001de10f4d19fc2d794c3eb534

91baa34fc5e7e44b470cfd131c1f4503

d505533ae75f89f98554765aaf2a330a

abaf1d04982449e0f7ee8a34577fe8af

IP Addresses

46.30.189.0/24

1.239.171.0/32

66.172.12.0/24

Impact of CVE-2020-14871

Technical Impact
  • CVE-2020-14871 lets attackers gain an initial foothold in the corporate network.
  • Attackers can further the attack deeper into the network using port forwarding and other pivoting techniques.
  • Compromise leads to the sensitive corporate data exfiltration.
  • Ransomware actors can target unpatched organisation’s networks to carry out their campaigns.  
Business Impact
  • Loss of branding and goodwill
  • Compliance penalty and client compensation
  • Lose trust of clients and eventually their business

Mitigations

  • Employee training and awareness to maintain cyber hygiene
  • Proper patch management 
  • Backup systems regularly
  • Deploy IDPS on hosts and networks

Be informed in your Inbox

Sign up now to our Threat intelligence Newsletter and be the first to know about threats first in your inbox.

Join the Discussions

Discuss your way into our Community about these threats and stay Vigilant and informed.