A China-linked menace cluster leveraged safety flaws in Connectwise ScreenConnect and F5 BIG-IP software program to ship customized malware able to delivering extra backdoors on compromised Linux hosts as a part of an “aggressive” marketing campaign.
Google-owned Mandiant is monitoring the exercise beneath its uncategorized moniker UNC5174 (aka Uteus or Uetus), describing it as a “former member of Chinese language hacktivist collectives that has since proven indications of appearing as a contractor for China’s Ministry of State Safety (MSS) centered on executing entry operations.”
The menace actor is believed to have orchestrated widespread assaults towards Southeast Asian and U.S. analysis and training establishments, Hong Kong companies, charities and non-governmental organizations (NGOs), and U.S. and U.Ok. authorities organizations between October and November 2023, and once more in February 2024 utilizing the ScreenConnect bug.
Preliminary entry to focus on environments is facilitated by the exploitation of recognized safety flaws in Atlassian Confluence (CVE-2023-22518), ConnectWise ScreenConnect (CVE-2024-1709), F5 BIG-IP (CVE-2023-46747), Linux Kernel (CVE-2022-0185), and Zyxel (CVE-2022-3052).
A profitable foothold is adopted by intensive reconnaissance and scanning of internet-facing methods for safety vulnerabilities, with UNC5174 additionally creating administrative consumer accounts to execute malicious actions with elevated privileges, together with dropping a C-based ELF downloader dubbed SNOWLIGHT.
SNOWLIGHT is designed to obtain the next-stage payload, an obfuscated Golang backdoor named GOREVERSE, from a distant URL that is associated to SUPERSHELL, an open-source command-and-control (C2) framework that permits attackers to determine a reverse SSH tunnel and launch interactive shell periods to execute arbitrary code.
Additionally put to make use of by the menace actor is a Golang-based tunneling software generally known as GOHEAVY, which is probably going employed to facilitate lateral motion inside compromised networks, in addition to different packages like afrog, DirBuster, Metasploit, Sliver, and sqlmap.
In a single uncommon occasion noticed by the menace intelligence agency, the menace actors have been discovered to use mitigations for CVE-2023-46747 in a probable try to stop different unrelated adversaries from weaponizing the identical loophole to acquire entry.
“UNC5174 (aka Uteus) was beforehand a member of Chinese language hacktivist collectives ‘Daybreak Calvary’ and has collaborated with ‘Genesis Day”https://thehackernews.com/”Xiaoqiying’ and ‘Teng Snake,'” Mandiant assessed. “This particular person seems to have departed these teams in mid-2023 and has since centered on executing entry operations with the intention of brokering entry to compromised environments.”
There’s proof to counsel that the menace actor could also be an preliminary entry dealer and has the backing of the MSS, given their alleged claims in darkish net boards. That is bolstered by the actual fact a few of the U.S. protection and U.Ok. authorities entities had been concurrently focused by one other entry dealer known as UNC302.
The findings as soon as once more underscore Chinese language nation-state teams’ continued efforts to breach edge home equipment by swiftly co-opting not too long ago disclosed vulnerabilities into their arsenal in an effort to conduct cyber espionage operations at scale.
“UNC5174 has been noticed trying to promote entry to U.S. protection contractor home equipment, U.Ok. authorities entities, and establishments in Asia in late 2023 following CVE-2023-46747 exploitation,” Mandiant researchers stated.
“There are similarities between UNC5174 and UNC302, which suggests they function inside an MSS preliminary entry dealer panorama. These similarities counsel doable shared exploits and operational priorities between these menace actors, though additional investigation is required for definitive attribution.”
The disclosure comes because the MSS warned that an unnamed international hacking group had infiltrated “tons of” of Chinese language enterprise and authorities organizations by leveraging phishing emails and recognized safety bugs to breach networks. It didn’t reveal the menace actor’s identify or origin.