A China-linked menace cluster leveraged security flaws in Connectwise ScreenConnect and F5 BIG-IP software program to ship customized malware able to delivering extra backdoors on compromised Linux hosts as a part of an “aggressive” marketing campaign.
Google-owned Mandiant is monitoring the exercise beneath its uncategorized moniker UNC5174 (aka Uteus or Uetus), describing it as a “former member of Chinese language hacktivist collectives that has since proven indications of performing as a contractor for China’s Ministry of State Safety (MSS) centered on executing entry operations.”
The menace actor is believed to have orchestrated widespread assaults towards Southeast Asian and U.S. analysis and schooling establishments, Hong Kong companies, charities and non-governmental organizations (NGOs), and U.S. and U.Okay. authorities organizations between October and November 2023, and once more in February 2024 utilizing the ScreenConnect bug.
Preliminary entry to focus on environments is facilitated by the exploitation of identified security flaws in Atlassian Confluence (CVE-2023-22518), ConnectWise ScreenConnect (CVE-2024-1709), F5 BIG-IP (CVE-2023-46747), Linux Kernel (CVE-2022-0185), and Zyxel (CVE-2022-3052).
A profitable foothold is adopted by intensive reconnaissance and scanning of internet-facing programs for security vulnerabilities, with UNC5174 additionally creating administrative person accounts to execute malicious actions with elevated privileges, together with dropping a C-based ELF downloader dubbed SNOWLIGHT.
SNOWLIGHT is designed to obtain the next-stage payload, an obfuscated Golang backdoor named GOREVERSE, from a distant URL that is associated to SUPERSHELL, an open-source command-and-control (C2) framework that enables attackers to determine a reverse SSH tunnel and launch interactive shell classes to execute arbitrary code.
Additionally put to make use of by the menace actor is a Golang-based tunneling instrument often called GOHEAVY, which is probably going employed to facilitate lateral motion inside compromised networks, in addition to different applications like afrog, DirBuster, Metasploit, Sliver, and sqlmap.
In a single uncommon occasion noticed by the menace intelligence agency, the menace actors have been discovered to use mitigations for CVE-2023-46747 in a possible try to forestall different unrelated adversaries from weaponizing the identical loophole to acquire entry.
“UNC5174 (aka Uteus) was beforehand a member of Chinese language hacktivist collectives ‘Daybreak Calvary’ and has collaborated with ‘Genesis Day”https://thehackernews.com/”Xiaoqiying’ and ‘Teng Snake,'” Mandiant assessed. “This particular person seems to have departed these teams in mid-2023 and has since centered on executing entry operations with the intention of brokering entry to compromised environments.”
There’s proof to counsel that the menace actor could also be an preliminary entry dealer and has the backing of the MSS, given their alleged claims in darkish net boards. That is bolstered by the very fact among the U.S. protection and U.Okay. authorities entities had been concurrently focused by one other entry dealer known as UNC302.
The findings as soon as once more underscore Chinese language nation-state teams’ continued efforts to breach edge home equipment by swiftly co-opting lately disclosed vulnerabilities into their arsenal as a way to conduct cyber espionage operations at scale.
“UNC5174 has been noticed making an attempt to promote entry to U.S. protection contractor home equipment, U.Okay. authorities entities, and establishments in Asia in late 2023 following CVE-2023-46747 exploitation,” Mandiant researchers mentioned.
“There are similarities between UNC5174 and UNC302, which suggests they function inside an MSS preliminary entry dealer panorama. These similarities counsel potential shared exploits and operational priorities between these menace actors, though additional investigation is required for definitive attribution.”
The disclosure comes because the MSS warned that an unnamed overseas hacking group had infiltrated “a whole lot” of Chinese language enterprise and authorities organizations by leveraging phishing emails and identified security bugs to breach networks. It didn’t reveal the menace actor’s identify or origin.
