Skip to content Skip to footer

China-Linked Threat Cluster Exploiting Security Flaws in Connectwise ScreenConnect and F5 BIG-IP Software

A recent report by Mandiant, a subsidiary of Google, has uncovered a -linked threat cluster that has been carrying out an “aggressive” campaign against research and education institutions, businesses, charities, and NGOs in Southeast Asia, Hong Kong, the US, and the UK. The threat actors have been exploiting vulnerabilities in various software and systems to gain initial access to target environments, followed by extensive reconnaissance and scanning of internet-facing systems for security vulnerabilities. The group has been using various tools and techniques to execute malicious actions with elevated privileges, including dropping an ELF downloader named SNOWLIGHT, which downloads the next-stage payload, an obfuscated Golang named GOREVERSE. The group has also used a Golang-based tunneling tool known as GOHEAVY to facilitate lateral movement within compromised networks.

The threat actors leveraged security flaws in Connectwise ScreenConnect and F5 BIG-IP software to deliver custom capable of providing additional backdoors on compromised Linux hosts. The group is believed to be a former member of Chinese hacktivist collectives. It has since shown indications of acting as a contractor for 's Ministry of State Security (MSS), which is focused on executing access operations.

Exploiting known security flaws in Atlassian Confluence, ConnectWise ScreenConnect, F5 BIG-IP, Linux Kernel, and Zyxel facilitates initial access to target environments. In one unusual instance spotted by the threat intelligence firm, the threat actors applied mitigations for -2023-46747 in a likely attempt to prevent other unrelated adversaries from weaponizing the same loophole to obtain access.

Mandiant has assessed that “UNC5174 (aka Uteus) was previously a member of Chinese hacktivist collectives ‘Dawn Calvary' and has collaborated with ‘Genesis Day' / ‘Xiaoqiying' and ‘Teng Snake.' This individual appears to have departed these groups in mid-2023 and has since focused on executing access operations to broker access to compromised environments.” Given their alleged claims in dark forums, the threat actor may be an initial access broker with the MSS's backing.

The findings highlight the continued efforts of Chinese nation-state groups to breach appliances by quickly co-opting recently disclosed vulnerabilities into their arsenal to conduct operations at scale. The threat actors have been observed attempting to sell access to US defense contractor appliances, UK government entities, and institutions in Asia following CVE-2023-46747 exploitation.

The report also mentions another access broker, UNC302, that simultaneously targeted some of the same US defense and UK government entities. This suggests that UNC5174 and UNC302 operate within an MSS initial access broker landscape and may have shared and operational priorities. However, further investigation is required for definitive attribution.

The disclosure comes as the MSS warned that an unnamed foreign hacking group had infiltrated “hundreds” of Chinese business and government organizations by breaching networks using emails and known security bugs.

Leave a comment

Newsletter Signup
Address

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

I know kung-fuNeo

Deitasoft © 2024. All Rights Reserved.