Zero-day Exposes New Threat Actor

Zero-day attacks are popular amongst cybercriminals since there’s a possibility to fully leverage insecure networks and systems. Recently, a threat actor utilized a zero-day vulnerability in the Oracle Solaris operating system.

What happened?

In a recent attack campaign, the threat actor identified as UNC1945 tried to bypass the authentication procedures and installed a backdoor on internet-exposed Solaris servers.
  • The threat group used EVILSUN, a tool that exploited Solari’s zero-day vulnerability, and planted the SLAPSTICK backdoor. This tool is believed to be purchased from a public hacking forum.
  • Hackers exploited a zero-day vulnerability (tracked as CVE-2020-14871) that was covered last month under Oracle's October 2020 security patches. The vulnerability exists in Solaris Pluggable Authentication Module.
  • Additionally, they used several open-source tools including Mimikatz, Powersploit, Responder, Procdump, CrackMapExec, PoshC2, Medusa, and the JBoss Vulnerability Scanner to perform different functions.

Recent incidents

Cybercriminals have been using zero-day vulnerabilities in various software to get access inside a targeted network.
Recently, a newer version of Chrome addressed ten security vulnerabilities, including a zero-day.
  • Last month, a pool-based buffer overflow vulnerability in the Windows Kernel Cryptography Driver was being exploited in targeted attacks.
  • In the same month, the Frankknox threat actor started promoting a zero-day, targeting a well-known mail server for $250,000.
  • An attacker utilized Tenda router zero-day vulnerabilities in early-October to propagate a Ttint RAT, which is based on the Mirai code.

Conclusion

Zero-day attacks are hard to detect right away, and sometimes it takes months or years to spot a vulnerability. Thus, experts recommend using an anti-malware solution that comes with behavioral detection. Additionally, updating OS and applications with recent security patches is always recommended.