Security Experts:

Connect with us

Hi, what are you looking for?



Sophisticated Threat Actor Exploited Oracle Solaris Zero-Day

A threat actor has been observed targeting Oracle Solaris operating systems for over two years, including with an exploit for a recently addressed zero-day vulnerability, FireEye reported on Monday.

A threat actor has been observed targeting Oracle Solaris operating systems for over two years, including with an exploit for a recently addressed zero-day vulnerability, FireEye reported on Monday.

Tracked as UNC1945 — UNC is assigned by FireEye to uncategorized groups — the threat actor was observed compromising telecommunications companies and leveraging third-party networks to target specific financial and professional consulting industries.

Throughout the observed activity, the group used various tools to compromise Windows, Linux, and Solaris operating systems and used custom virtual machines, all while focusing on evading detection.

“UNC1945 demonstrated access to exploits, tools and malware for multiple operating systems, a disciplined interest in covering or manipulating their activity, and displayed advanced technical abilities during interactive operations,” FireEye’s Mandiant security researchers reveal.

In late 2018, the threat actor was observed compromising a Solaris server that had the SSH service exposed to the Internet, to install the SLAPSTICK backdoor on it, in order to steal credentials. The adversary employed SSH to connect to the server.

In mid-2020, after a 519-day dwell time, a different Solaris server was observed connecting to the attacker’s infrastructure. The threat actor deployed a remote exploitation tool called EVILSUN to exploit a zero-day impacting a Solaris 9 server.

Tracked as CVE-2020-14871, the vulnerability was reported to Oracle, which addressed it as part of the October 2020 Critical Patch Update. The bug affected the Solaris Pluggable Authentication Module (PAM) and allowed an attacker with network access to compromise the operating system without authentication.

Madiant also discovered that, in April 2020, an ‘Oracle Solaris SSHD Remote Root Exploit’ was being offered on an underground marketplace for roughly $3,000, noting that this exploit “may be identifiable with EVILSUN.”

“Additionally, we confirmed a Solaris server exposed to the internet had critical vulnerabilities, which included the possibility of remote exploitation without authentication,” the researchers say.

Using the SLAPSTICK Solaris PAM backdoor, the threat actor maintained a foothold on the compromised Solaris 9 server. After placing the malware onto the compromised system, the adversary dropped a custom Linux backdoor called LEMONSTICK on the workstation, to facilitate command execution, connection tunneling, and file transfer and execution.

UNC1945 maintained access using an SSH Port Forwarding mechanism and dropped a custom QEMU VM on multiple hosts, using a ‘’ script to have it executed inside of any Linux system. The script contained TCP forwarding settings while the VM had preloaded tools such as Mimikatz, Powersploit, Responder, Procdump, CrackMapExec, PoshC2, Medusa, JBoss Vulnerability Scanner and more.

The adversary leveraged volatile memory to decrease operational visibility, manipulated timestamps and log files using built-in utilities and public tools, and employed anti-forensics techniques. Furthermore, the hackers collected credentials, escalated privileges, and moved laterally through the compromised environment.

The open-source remote access tool PUPYRAT was also employed. At one target, following initial compromise, the adversary deployed three different backdoors: SLAPSTICK, TINYSHELL, and OKSOLO. On a Windows environment, IMPACKET with SMBEXEC was used for remote command execution. A BlueKeep scanning tool was also used.

According to Mandiant, no data exfiltration appears to have happened, despite the multi-staged operation. In one case, however, the ROLLCOAST ransomware was deployed as the final stage of activity, but it’s unclear whether UNC1945 was responsible for this deployment or not, as access to the compromised environment might have been sold to a different actor.

“The ease and breadth of exploitation in which UNC1945 conducted this campaign suggests a sophisticated, persistent actor comfortable exploiting various operating systems, and access to resources and numerous toolsets. Given the aforementioned factors, use of zero-day exploits and virtual machines, and ability to traverse multiple third-party networks, Mandiant expects this motivated threat actor to continue targeted operations against key industries,” the researchers conclude.

Related: Oracle Issues Out-of-Band Update for Critical Vulnerability Exploited in Attacks

Related: Oracle’s October 2020 CPU Contains 402 New Security Patches

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.