Hackers with ties to the People's Republic of China exploited two common vulnerabilities to attack a U.S. defense contractor, a British government agency, and an Asian institution.
A new report from Mandiant, a security company owned by Google, focuses on the activity of a threat actor it calls UNC5174. Researchers believe that UNC5174 is a former member of a Chinese hacktivist group that has since shown signs of operating as a contractor for China's Ministry of State Security (MSS) focused on conducting access operations. .
“In February 2024, UNC5174 was observed exploiting the ConnectWise ScreenConnect vulnerability (CVE-2024-1709) to compromise hundreds of institutions, primarily in the United States and Canada,” the researchers wrote. Stated.
CVE-2024-1709 has caused alarm among cyber defenders since IT management software company ConnectWise warned its customers about the issue in February. The company confirmed that multiple customers were compromised by the vulnerability, and the top U.S. cybersecurity agency added the vulnerability to its list of exploited bugs on February 22nd.
ScreenConnect enables secure remote desktop access and support for mobile devices, and researchers say it is being exploited by both cybercriminals and nation-states.
Mandiant said it also discovered UNC5174, which exploits CVE-2023-46747. This is a vulnerability discovered in late October that affects F5 BIG-IP. These products (including software and hardware) are widely used by businesses to keep their applications running. U.S. authorities acknowledged last year that the bug was being exploited.
According to Mandiant, both vulnerabilities were exploited using a mix of custom tools and frameworks to exploit issues specific to UNC5174.
According to Mandiant, the exploit “demonstrates a systematic approach by China-linked threat actors to achieve access to targets of strategic or political interest to China.”
“China-aligned threat actors continue to explore vulnerabilities in widely deployed edge appliances such as F5 BIG-IP and ScreenConnect to enable large-scale espionage operations. “This often involves rapid exploitation of recently revealed vulnerabilities using custom or publicly available proof-of-concept exploits,” they said.
“UNC5174 and UNC302 operate within this model, and their behavior provides insight into the early access broker ecosystem leveraged by MSS to target strategically interesting global organizations. Mandiant He believes that UNC5174 will continue to pose a threat to academic, NGO, and government sector organizations, particularly in the United States, Canada, Southeast Asia, Hong Kong, and the United Kingdom.”
UNC5174 has previously been associated with attacks against organizations in Southeast Asia, the United States, Hong Kong, and elsewhere.
Mandiant gained access to the hacker's infrastructure and discovered that it was “thoroughly scanning for vulnerabilities in internet-connected systems belonging to prominent universities in the United States, Oceania, and the Hong Kong region.”
Although he could not confirm whether the hackers were successful, Mandiant also said he had witnessed think tanks in the United States and Taiwan being targeted.
One of the strangest things researchers discovered was that UNC5174 creates a backdoor into compromised systems and patches the vulnerabilities used to gain entry.
Mandiant said it believes this is “an attempt to limit subsequent exploitation of the system by unrelated attackers seeking to gain access to the appliance.”
Mandiant explained that it also found posts on the forum from a hacker believed to be UNC5174 who claims to have exploited CVE-2024-1709 at hundreds of organizations in the United States and Canada.
UNC5174 was previously associated with several China-based hacktivist groups, including Dawn Calvary and Genesis Day, but reportedly left the group sometime in 2023. The researchers also said the hacker “claims to belong to the Chinese MSS as a traitor.” Possible access brokers and commercial infiltration contractors. ”
In multiple dark web forums, the hackers clearly claimed that they were affiliated with MSS and were backed by the Chinese government's APT group. Organizations affected by UNC5174's campaign were “simultaneously targeted by his known MSS access broker UNC302.” UNC302 is another hacker indicted by the US Department of Justice in 2020.
“Although no definitive connection can be made at this time, Mandiant highlights similarities between UNC5174 and UNC302, which suggests they are operating within the MSS Initial Access Broker environment. Mandiant said.
“These similarities suggest possible shared exploits and operational priorities among these threat actors, but further investigation is required to determine the ultimate cause.”
recorded future
intelligence cloud.
learn more.
