UNC1945 usually selected targets in the telecommunications, financial and consulting sectors, as Mandiant stated in a exhibition her.
While the UNC1945 team has been active since 2018, Mandiant says it caught the eye earlier this year when it launched a new zero day at Oracle Solaris.
Known as CVE-2020-14871, the zero-day was located at Solaris Pluggable Authentication Module (PAM) which allowed UNC1945 to bypass authentication procedures and install one backdoor with the name SLAPSTICK on Solaris servers exposed to Internet.
The Hacking group then used this backdoor as an entry point to start corporate reconnaissance operations and move sideways to other systems.
To avoid detection, the team downloaded and installed a virtual machine QEMU running a version of it Tiny Core Linux OS.
This custom Linux VM comes pre-installed with various tools hacking such as network scanners, password trackers, and authentication tools, which allowed UNC1945 to scan a company's internal network for vulnerabilities and move sideways across multiple systems, regardless of whether they were running Windows or Systems based on * NIX.
Mandiant said it reported zero day to Oracle earlier this year after discovering signs of exploitation during an investigation.
The bug was fixed last month with Oracle October 2020 security updates.
Mandiant said that while UNC1945 has been active for several years, it spotted Solaris zero day when a confirmed infringement. However, this does not mean that the zero day vulnerability was not exploited by other corporate networks.