Zero-day attacks are popular amongst cybercriminals since there’s a possibility to fully leverage insecure networks and systems. Recently, a threat actor utilized a zero-day vulnerability in the Oracle Solaris operating system.
What happened?
In a recent attack campaign, the threat actor identified as UNC1945 tried to bypass the authentication procedures and installed a backdoor on internet-exposed Solaris servers. - The threat group used EVILSUN, a tool that exploited Solari’s zero-day vulnerability, and planted the SLAPSTICK backdoor. This tool is believed to be purchased from a public hacking forum.
- Hackers exploited a zero-day vulnerability (tracked as CVE-2020-14871) that was covered last month under Oracle's October 2020 security patches. The vulnerability exists in Solaris Pluggable Authentication Module.
- Additionally, they used several open-source tools including Mimikatz, Powersploit, Responder, Procdump, CrackMapExec, PoshC2, Medusa, and the JBoss Vulnerability Scanner to perform different functions.
Recent incidents
Cybercriminals have been using zero-day vulnerabilities in various software to get access inside a targeted network.
Recently, a newer version of Chrome addressed ten security vulnerabilities, including a zero-day. - Last month, a pool-based buffer overflow vulnerability in the Windows Kernel Cryptography Driver was being exploited in targeted attacks.
- In the same month, the Frankknox threat actor started promoting a zero-day, targeting a well-known mail server for $250,000.
- An attacker utilized Tenda router zero-day vulnerabilities in early-October to propagate a Ttint RAT, which is based on the Mirai code.
Conclusion
Zero-day attacks are hard to detect right away, and sometimes it takes months or years to spot a vulnerability. Thus, experts recommend using an anti-malware solution that comes with behavioral detection. Additionally, updating OS and applications with recent security patches is always recommended.