Cyberwarfare / Nation-State Attacks , Endpoint Security , Fraud Management & Cybercrime
Likely Chinese Hacking Contractor Is Quick to Exploit N-Days
UNC5174 Exploited F5 BIG-IP and ScreenConnect VulnerabilitiesA likely Chinese hacker-for-hire used high-profile vulnerabilities in a widespread and aggressive campaign targeting a slew of Southeast Asian and U.S. governmental and research organizations, said threat intelligence firm Mandiant.
See Also: 5 Ways Exabeam Helps Eliminate Compromised Credential Blindspots
The Google-owned firm said the hacker behind the campaign uses a mix of custom tooling and a publicly available command-and-control framework called Supershell, suggesting a unique threat actor. The company tracks the activity as UNC5174. The hacker appears to go by "Uteus" and "uteus" on underground forums. Mandiant assessed with moderate confidence that the hacker is operating in China.
Mandiant said the threat actor on a dark web forum discussed using a public proof of concept to exploit the configuration manager of application delivery and security appliance BIG-IP, manufactured by F5. The flaw, tracked as CVE-2023-46747, allows an unauthenticated attacker to execute arbitrary system commands. Mandiant said it found evidence the threat actor created administrative user accounts on an F5 device with an IP address belonging to several government entities.
UNC5174 also exploited an authentication bypass flaw tracked as CVE-2024-1709 in ConnectWise ScreenConnect remote connection software. "Uteus" claimed in forum postings to have hacked ScreenConnect instances "belonging to hundreds of organizations globally, primarily in the U.S. and Canada," Mandiant said (see: Attackers Rush to Exploit ScreenConnect Vulnerabilities).
The hacker is apparently behind "widespread aggressive targeting and intrusions of Southeast Asian and U.S. research and education institutions," that occurred in October and November 2023, as well as in February. Other targets include Hong Kong organizations and the U.S. and U.K. governments.
Rapid exploitation of newly patched zero-day flaws, or N-day vulnerabilities, has become a hallmark of Chinese threat actors. Dutch intelligence in February warned that "they do so with a high operational tempo, sometimes abusing vulnerabilities on the day they are published" (see: Chinese Hackers Penetrated Unclassified Dutch Network).
Mandiant said the threat actor shows indications of acting as a contractor for the Chinese the Ministry of State Security, China's domestic intelligence agency, after serving stints in Dawn Calvary and collaboration with Genesis Day, which are both pro-Beijing hacking groups. Genesis Day is best known for website defacement and data exfiltration attacks on more than a dozen South Korean research and academic institutions in late January 2023. UNC5174 appears focused on obtaining access for the ministry - and for financially motivated hacking - after branching out from hacktivist collectives in mid-2023, according to Mandiant.
A February leak of internal documents from a Ministry of State Security contractor brought international attention to Beijing's reliance on hackers for hire. Contractors often gain their skills in the "patriotic hacking" scene but make a move to corporate environments - a potentially unhappy shift, if leaked documents, including employee complaints about overwork and low pay, are to be believed (see: Chinese Hacking Contractor iSoon Leaks Internal Documents).
UNC5174's post-exploit behavior shows some unique behaviors, Mandiant said, including downloading unidentified tools that may be part of a family of scanning and reconnaissance tools hosted on GitHub that contain Chinese-language instructions. The hacker also used GoReverse, a publicly available reverse shell backdoor that calls back to infrastructure Mandiant previously spotted hosting Supershell, a command-and-control framework published on GitHub.
Another unusual indicator: After compromising an F5 appliance and configuring a backdoor, the hacker attempted to patch the vulnerability by deploying a mitigation script provided by F5.
There's no reason to believe that UNC5174 will cease operations, Mandiant warned. The company "believes that UNC5174 will continue to pose a threat to organizations in the academic, NGO, and government sectors" especially in the United States, Canada, the United Kingdom, Southeast Asia and Hong Kong.