A hacker allegedly linked to the People’s Republic of China exploited two popular vulnerabilities to attack US defense contractors, UK government entities and institutions in Asia.
A new report from Google-owned security company Mandiant has shed light on the work of a threat actor they call UNC5174. Researchers believe UNC5174 is a former member of Chinese hacktivist collectives who has since shown signs of acting as a contractor for China’s Ministry of State Security (MSS), focused on executing operations access.
“In February 2024, UNC5174 was observed exploiting the ConnectWise ScreenConnect vulnerability (CVE-2024-1709) to compromise hundreds of institutions, primarily in the United States and Canada,” the researchers said.
CVE-2024-1709 has alarmed cyber defenders since IT management software company ConnectWise warned its customers of the problem in February. The company confirmed that several customers had been compromised by the vulnerability and the top US cybersecurity agency added it to a list of exploited bugs on February 22.
ScreenConnect allows secure remote desktop access and support for mobile devices, and researchers said it was exploited by both cybercriminals and nation states.
Mandiant said it also found UNC5174 exploiting CVE-2023-46747 – a vulnerability discovered late October affecting F5 BIG-IP. These products, which include software and hardware, are widely used by businesses to help them keep their applications up and running. American agencies confirmed last year that the bug was exploited.
When exploiting both vulnerabilities, Mandiant says it saw the use of a mix of custom tools and frameworks to take advantage of issues unique to UNC5174.
According to Mandiant, this exploitation “demonstrates PRC threat actors’ systematic approach to gaining access to targets of strategic or political interest to the PRC.”
“Chinese actors continue to research vulnerabilities on widely deployed edge devices such as F5 BIG-IP and ScreenConnect to enable large-scale espionage operations. These operations often include the rapid exploitation of recently disclosed vulnerabilities using custom or publicly available proof-of-concept exploits,” they said.
“UNC5174 and UNC302 operate under this model, and their operations provide insight into the initial access broker ecosystem leveraged by the MSS to target strategically interesting global organizations. Mandiant believes that UNC5174 will continue to pose a threat to organizations in the academic, NGO, and government sectors, particularly in the United States, Canada, Southeast Asia, Hong Kong, and the United Kingdom.
UNC5174 has previously been linked to attacks on organizations in Southeast Asia, the United States, Hong Kong and elsewhere.
Mandiant gained access to the hacker’s infrastructure and discovered “aggressive vulnerability scanning on internet-connected systems belonging to major universities in the United States, Oceania and Hong Kong.”
Although they were unable to confirm whether the hacker was successful, Mandiant also said they saw think tanks in the United States and Taiwan being targeted.
One of the strangest things researchers discovered was that UNC5174 created backdoors in compromised systems and then patched the vulnerability used to break in.
Mandiant said it believed this was an “attempt to limit further exploitation of the system by other independent malicious actors attempting to gain access to the appliance.”
Mandiant said it also found posts on a forum from a hacker they believe to be UNC5174, claiming to have exploited CVE-2024-1709 in hundreds of organizations in the United States and Canada.
UNC5174 was previously linked to several China-based hacktivist collectives named “Dawn Calvary” and “Genesis Day,” but reportedly left the groups at some point in 2023. Researchers said the hacker also “claimed to be affiliated with the MSS of the PRC as an organization. access broker and prospective contractor who conducts intrusions for profit.
In several Dark Web forums, the hacker explicitly claimed that he was affiliated with MSS and had support from a Chinese government APT group. Organizations affected by the UNC5174 campaign were “targeted simultaneously by known and separate MSS access brokers, UNC302” — another hacker that was indicted by the US Department of Justice in 2020.
“While definitive connections cannot be made at this time, Mandiant points out that there are similarities between UNC5174 and UNC302, suggesting that they operate in an MSS initial access broker landscape,” Mandiant said .
“These similarities suggest possible shared exploits and operational priorities between these threat actors, although further investigation is required for definitive attribution.”
Future saved
Intelligence cloud.