Wednesday , June 4 2025
hacker

Hacker exploiting ScreenConnect, F5 bugs : Mandiant

Hacker allegedly exploiting two popular vulnerabilities to attack U.S. defense contractors, U.K. government entities and institutions in Asia, according to new report by Google owned security firm Mandiant.

The report focused on UNC5174, a threat actor. According to Mandiant, UNC5174 used to be a member of Chinese hacktivist groups. However, they now seem to be working as a contractor for China’s Ministry of State Security (MSS), specifically handling access operations.

CVSS 9.6: IBM QRadar & Cloud Pak Security Flaws Exposed

IBM has issued a security advisory for vulnerabilities in its QRadar Suite Software and Cloud Pak for Security platforms. These...
Read More
CVSS 9.6: IBM QRadar & Cloud Pak Security Flaws Exposed

ALERT
Thousands of IP addresses compromised nationwide: CIRT warn

As Bangladesh prepares for the extended Eid-ul-Adha holidays, the BGD e-GOV Computer Incident Response Team (CIRT) has issued an urgent...
Read More
ALERT  Thousands of IP addresses compromised nationwide: CIRT warn

New Android Malware ‘Crocodilus’ Targets Banks in 8 Countries

In March 2025, the Threatfabric mobile Threat Intelligence team identified Crocodilus, a new Android banking Trojan designed for device takeover....
Read More
New Android Malware ‘Crocodilus’ Targets Banks in 8 Countries

Qualcomm Patches 3 Zero-Days Used in Targeted Android Attacks

Qualcomm has issued security patches for three zero-day vulnerabilities in the Adreno GPU driver, affecting many chipsets that are being...
Read More
Qualcomm Patches 3 Zero-Days Used in Targeted Android Attacks

Critical RCE Flaw Patched in Roundcube Webmail

Roundcube Webmail has fixed a critical security flaw that could enable remote code execution after authentication. Disclosed by security researcher...
Read More
Critical RCE Flaw Patched in Roundcube Webmail

Hacker claim Leak of Deloitte Source Code & GitHub Credentials

A hacker known as "303" claim to breach the company's systems and leaked sensitive internal data on a dark web...
Read More
Hacker claim Leak of Deloitte Source Code & GitHub Credentials

CISA Issued Guidance for SIEM and SOAR Implementation

CISA and ACSC issued new guidance this week on how to procure, implement, and maintain SIEM and SOAR platforms. SIEM...
Read More
CISA Issued Guidance for SIEM and SOAR Implementation

Linux flaws enable password hash theft via core dumps in Ubuntu, RHEL, Fedora

The Qualys Threat Research Unit (TRU) found two local information-disclosure vulnerabilities in Apport and systemd-coredump. Both issues are race-condition vulnerabilities....
Read More
Linux flaws enable password hash theft via core dumps in Ubuntu, RHEL, Fedora

Australia enacts mandatory ransomware payment reporting

New ransomware payment reporting rules take effect in Australia yesterday (May 30) for all organisations with an annual turnover of...
Read More
Australia enacts mandatory ransomware payment reporting

Why Govt Demands Foreign CCTV Firms to Submit Source Code?

Global makers of surveillance gear have clashed with Indian regulators in recent weeks over contentious new security rules that require...
Read More
Why Govt Demands Foreign CCTV Firms to Submit Source Code?

“In February 2024, UNC5174 was observed exploiting ConnectWise ScreenConnect vulnerability (CVE-2024-1709) to compromise hundreds of institutions primarily in the U.S. and Canada,” the researchers said.

CVE-2024-1709 has alarmed cyber defenders after ConnectWise warned its customers in February. The company confirmed that some customers were compromised through the vulnerability, leading the top U.S. cybersecurity agency to add it to a list of exploited bugs on February 22.

ScreenConnect is a tool that allows secure remote desktop access and support for mobile devices. It has been targeted by cybercriminals and nation states for exploitation.

Mandiant said it also found UNC5174 exploiting CVE-2023-46747 — a vulnerability discovered in late October affecting F5 BIG-IP. These products — which include software and hardware — are used widely by companies to help keep their applications up and running. U.S. agencies confirmed last year that the bug was being exploited.

The vulnerability in F5 BIG-IP was added to the list of exploited bugs on February 22, which allowed cybercriminals and nation states to target the ScreenConnect tool for exploitation. These products, used widely by companies for maintaining the functionality of their applications, have been under threat of exploitation, as confirmed by U.S. agencies last year.

Mandiant observed a combination of custom tools and frameworks being used to exploit the vulnerabilities in UNC5174.

According to Mandiant, the exploitation “demonstrates PRC-related threat actors’ systematized approach to achieving access to targets of strategic or political interest to the PRC.”

“China-nexus actors continue to conduct vulnerability research on widely deployed edge appliances like F5 BIG-IP and ScreenConnect to enable espionage operations at scale. These operations often include rapid exploitation of recently disclosed vulnerabilities using custom or publicly available proof-of-concept exploits,” they said.

“UNC5174 and UNC302 operate within this model, and their operations provide insight into the initial access broker ecosystem leveraged by the MSS to target strategically interesting global organizations. Mandiant believes that UNC5174 will continue to pose a threat to organizations in the academic, NGO, and government sectors specifically in the United States, Canada, Southeast Asia, Hong Kong, and the United Kingdom.”

Mandiant gained access to the hacker’s infrastructure, discovering “aggressive scanning for vulnerabilities on internet-facing systems belonging to prominent universities in the U.S., Oceania, and Hong Kong regions.”

Mandiant couldn’t confirm if the hacker was successful, but they observed think tanks in the U.S. and Taiwan being targeted.

Researchers found that UNC5174 would create backdoors in compromised systems and then patch the vulnerability they used to break in. This behavior was one of the strangest things discovered.

Mandiant believes this was an attempt to prevent other hackers from accessing the system. They also found a hacker, UNC5174, claiming to have exploited CVE-2024-1709 at many organizations in the U.S. and Canada.

UNC5174 was previously tied to several China-based hacktivist collectives named “Dawn Calvary” and “Genesis Day” but allegedly left the groups at some point in 2023. The researchers said the hacker has also “claimed to be affiliated with the PRC MSS as an access broker and possible contractor who conducts for profit intrusions.”

In multiple dark web forums, the hacker explicitly claimed they were affiliated with MSS and had the backing of a Chinese government APT group. The organizations impacted by UNC5174’s campaign were “targeted concurrently by distinct known MSS access brokers UNC302” — another hacker that was indicted by the U.S. Justice Department in 2020.

“While definitive connections cannot be established at this time, Mandiant highlights that there are similarities between UNC5174 and UNC302, which suggests they operate within an MSS initial access broker landscape,” Mandiant said.

“These similarities suggest possible shared exploits and operational priorities between these threat actors, although further investigation is required for definitive attribution.”

Check Also

Evaly

Evaly E-commerce Platform Allegedly Hacked

Evaly, a Bangladeshi e-commerce platform, is reportedly facing a major data breach that may have …

Leave a Reply

Your email address will not be published. Required fields are marked *