Sunday , December 22 2024
hacker

Hacker exploiting ScreenConnect, F5 bugs : Mandiant

Hacker allegedly exploiting two popular vulnerabilities to attack U.S. defense contractors, U.K. government entities and institutions in Asia, according to new report by Google owned security firm Mandiant.

The report focused on UNC5174, a threat actor. According to Mandiant, UNC5174 used to be a member of Chinese hacktivist groups. However, they now seem to be working as a contractor for China’s Ministry of State Security (MSS), specifically handling access operations.

Eight New ICS Advisories released by CISA

CISA has released eight advisories on vulnerabilities in Industrial Control Systems (ICS). These vulnerabilities affect essential software and hardware in...
Read More
Eight New ICS Advisories released by CISA

Authority Denies
Hacker claim ransomware attack on Indonesia’s state bank BRI

Bank Rakyat Indonesia (BRI), the largest state bank by assets, has assured customers that their data and funds are secure...
Read More
Authority Denies  Hacker claim ransomware attack on Indonesia’s state bank BRI

London-based company “Builder.ai” reportedly exposed 1.2 TB data

Cybersecurity researcher Jeremiah Fowler reported to Website Planet that he found a non-password-protected 1.2 TB dataset containing over 3 million...
Read More
London-based company “Builder.ai” reportedly exposed 1.2 TB data

(CVE-2024-12727, CVE-2024-12728, CVE-2024-12729)
Sophos resolved 3 critical vulnerabilities in Firewall

Sophos has fixed three separate security vulnerabilities in Sophos Firewall.  The vulnerabilities CVE-2024-12727, CVE-2024-12728, and CVE-2024-12729 present major risks, such...
Read More
(CVE-2024-12727, CVE-2024-12728, CVE-2024-12729)  Sophos resolved 3 critical vulnerabilities in Firewall

“Workshop on Cybersecurity Awareness and Needs Analysis” held at BBTA

A time-demanding workshop on "Cybersecurity Awareness and Needs Analysis" was held on Thursday (December 19) at Bangladesh Bank Training Academy...
Read More
“Workshop on Cybersecurity Awareness and Needs Analysis” held at BBTA

CVE-2023-48788
Kaspersky reveals active exploitation of Fortinet Vulnerability

Kaspersky's Global Emergency Response Team (GERT) found that attackers are exploiting a patched SQL injection vulnerability (CVE-2023-48788) in Fortinet FortiClient...
Read More
CVE-2023-48788  Kaspersky reveals active exploitation of Fortinet Vulnerability

U.S. Weighs Ban on Chinese-Made Router TP-Link: WSJ reports

The US government is considering banning a well-known brand of Chinese-made home internet routers TP-Link due to concerns that they...
Read More
U.S. Weighs Ban on Chinese-Made Router TP-Link:  WSJ reports

Daily Security Update Dated: 18.12.2024

Every day a lot of cyberattack happen around the world including ransomware, Malware attack, data breaches, website defacement and so...
Read More
Daily Security Update Dated: 18.12.2024

CISA released best practices to secure Microsoft 365 Cloud environments

CISA has issued Binding Operational Directive (BOD) 25-01, requiring federal civilian agencies to improve the security of their Microsoft 365...
Read More
CISA released best practices to secure Microsoft 365 Cloud environments

Data breach! Ireland fines Meta $264 million, Australia $50m

The Irish Data Protection Commission fined Meta €251 million ($263.6 million) for GDPR violations related to a 2018 data breach...
Read More
Data breach! Ireland fines Meta $264 million, Australia $50m

“In February 2024, UNC5174 was observed exploiting ConnectWise ScreenConnect vulnerability (CVE-2024-1709) to compromise hundreds of institutions primarily in the U.S. and Canada,” the researchers said.

CVE-2024-1709 has alarmed cyber defenders after ConnectWise warned its customers in February. The company confirmed that some customers were compromised through the vulnerability, leading the top U.S. cybersecurity agency to add it to a list of exploited bugs on February 22.

ScreenConnect is a tool that allows secure remote desktop access and support for mobile devices. It has been targeted by cybercriminals and nation states for exploitation.

Mandiant said it also found UNC5174 exploiting CVE-2023-46747 — a vulnerability discovered in late October affecting F5 BIG-IP. These products — which include software and hardware — are used widely by companies to help keep their applications up and running. U.S. agencies confirmed last year that the bug was being exploited.

The vulnerability in F5 BIG-IP was added to the list of exploited bugs on February 22, which allowed cybercriminals and nation states to target the ScreenConnect tool for exploitation. These products, used widely by companies for maintaining the functionality of their applications, have been under threat of exploitation, as confirmed by U.S. agencies last year.

Mandiant observed a combination of custom tools and frameworks being used to exploit the vulnerabilities in UNC5174.

According to Mandiant, the exploitation “demonstrates PRC-related threat actors’ systematized approach to achieving access to targets of strategic or political interest to the PRC.”

“China-nexus actors continue to conduct vulnerability research on widely deployed edge appliances like F5 BIG-IP and ScreenConnect to enable espionage operations at scale. These operations often include rapid exploitation of recently disclosed vulnerabilities using custom or publicly available proof-of-concept exploits,” they said.

“UNC5174 and UNC302 operate within this model, and their operations provide insight into the initial access broker ecosystem leveraged by the MSS to target strategically interesting global organizations. Mandiant believes that UNC5174 will continue to pose a threat to organizations in the academic, NGO, and government sectors specifically in the United States, Canada, Southeast Asia, Hong Kong, and the United Kingdom.”

Mandiant gained access to the hacker’s infrastructure, discovering “aggressive scanning for vulnerabilities on internet-facing systems belonging to prominent universities in the U.S., Oceania, and Hong Kong regions.”

Mandiant couldn’t confirm if the hacker was successful, but they observed think tanks in the U.S. and Taiwan being targeted.

Researchers found that UNC5174 would create backdoors in compromised systems and then patch the vulnerability they used to break in. This behavior was one of the strangest things discovered.

Mandiant believes this was an attempt to prevent other hackers from accessing the system. They also found a hacker, UNC5174, claiming to have exploited CVE-2024-1709 at many organizations in the U.S. and Canada.

UNC5174 was previously tied to several China-based hacktivist collectives named “Dawn Calvary” and “Genesis Day” but allegedly left the groups at some point in 2023. The researchers said the hacker has also “claimed to be affiliated with the PRC MSS as an access broker and possible contractor who conducts for profit intrusions.”

In multiple dark web forums, the hacker explicitly claimed they were affiliated with MSS and had the backing of a Chinese government APT group. The organizations impacted by UNC5174’s campaign were “targeted concurrently by distinct known MSS access brokers UNC302” — another hacker that was indicted by the U.S. Justice Department in 2020.

“While definitive connections cannot be established at this time, Mandiant highlights that there are similarities between UNC5174 and UNC302, which suggests they operate within an MSS initial access broker landscape,” Mandiant said.

“These similarities suggest possible shared exploits and operational priorities between these threat actors, although further investigation is required for definitive attribution.”

Check Also

Telecom Namibia

Over 4 lac files ‘leaked’: Telecom Namibia hit by major cyberattack

Telecom Namibia experienced a cyber incident that leaked customer data. The company is working with …

Leave a Reply

Your email address will not be published. Required fields are marked *