Saturday , September 7 2024
hacker

Hacker exploiting ScreenConnect, F5 bugs : Mandiant

Hacker allegedly exploiting two popular vulnerabilities to attack U.S. defense contractors, U.K. government entities and institutions in Asia, according to new report by Google owned security firm Mandiant.

The report focused on UNC5174, a threat actor. According to Mandiant, UNC5174 used to be a member of Chinese hacktivist groups. However, they now seem to be working as a contractor for China’s Ministry of State Security (MSS), specifically handling access operations.

Cisco released security updates for two critical security flaws

CISCO released security updates for two critical security flaws impacting its smart Licensing Utility that could allow unauthenticated, remote attackers...
Read More
Cisco released security updates for two critical security flaws

OpenBAS: Cutting-edge breach and attack simulation platform

OpenBAS is a platform that helps organizations to plan, schedule, and conduct crisis exercises, adversary simulations, and breach simulations. OpenBAS...
Read More
OpenBAS: Cutting-edge breach and attack simulation platform

Critical Security Flaws Patched in Zyxel Networking Devices

Zyxel has released software updates to fix a serious security issue in certain access point (AP) and security router versions....
Read More
Critical Security Flaws Patched in Zyxel Networking Devices

CVE-2024-38811: CEV In VMware Fusion Unveiled

VMware released a security advisory for a major vulnerability in the VMware Fusion product. This vulnerability could be exploited by...
Read More
CVE-2024-38811: CEV In VMware Fusion Unveiled

CERT-IN Warns Vulnerabilities in Palo Alto Networks applications

Indian Computer Emergency Response Team (CERT-IN) issued advisories about multiple vulnerabilities in various Palo Alto Networks applications. Attackers could exploit...
Read More
CERT-IN Warns Vulnerabilities in Palo Alto Networks applications

How Malaysia’s Data Centre Industry Poised for Growth

Malaysia is quickly becoming a leading choice for investing in data centers. It aims to generate RM3.6 billion (US$781 million)...
Read More
How Malaysia’s Data Centre Industry Poised for Growth

RansomHub exfiltrated data over 210 victims: US alert

US authorities have issued a cybersecurity advisory about a ransomware group called RansomHub. The group is thought to have stolen data...
Read More
RansomHub exfiltrated data over 210 victims: US alert

Godzilla Fileless Backdoor Exploits Atlassian Confluence flaw

There is a new way to attack Atlassian Confluence using the vulnerability CVE-2023-22527. The Confluence Data Center and Server products...
Read More
Godzilla Fileless Backdoor Exploits Atlassian Confluence flaw

New Cicada ransomware targets VMware ESXi servers

The Cicada3301 ransomware is made in Rust and attacks Windows and Linux/ESXi hosts. Truesec researchers examined a version that targets...
Read More
New Cicada ransomware targets VMware ESXi servers

Monday hits two UK bank apps causes outages

Lloyds Bank and Virgin Money's internet banking services were down on Monday, causing trouble for users to access and view...
Read More
Monday hits two UK bank apps causes outages

“In February 2024, UNC5174 was observed exploiting ConnectWise ScreenConnect vulnerability (CVE-2024-1709) to compromise hundreds of institutions primarily in the U.S. and Canada,” the researchers said.

CVE-2024-1709 has alarmed cyber defenders after ConnectWise warned its customers in February. The company confirmed that some customers were compromised through the vulnerability, leading the top U.S. cybersecurity agency to add it to a list of exploited bugs on February 22.

ScreenConnect is a tool that allows secure remote desktop access and support for mobile devices. It has been targeted by cybercriminals and nation states for exploitation.

Mandiant said it also found UNC5174 exploiting CVE-2023-46747 — a vulnerability discovered in late October affecting F5 BIG-IP. These products — which include software and hardware — are used widely by companies to help keep their applications up and running. U.S. agencies confirmed last year that the bug was being exploited.

The vulnerability in F5 BIG-IP was added to the list of exploited bugs on February 22, which allowed cybercriminals and nation states to target the ScreenConnect tool for exploitation. These products, used widely by companies for maintaining the functionality of their applications, have been under threat of exploitation, as confirmed by U.S. agencies last year.

Mandiant observed a combination of custom tools and frameworks being used to exploit the vulnerabilities in UNC5174.

According to Mandiant, the exploitation “demonstrates PRC-related threat actors’ systematized approach to achieving access to targets of strategic or political interest to the PRC.”

“China-nexus actors continue to conduct vulnerability research on widely deployed edge appliances like F5 BIG-IP and ScreenConnect to enable espionage operations at scale. These operations often include rapid exploitation of recently disclosed vulnerabilities using custom or publicly available proof-of-concept exploits,” they said.

“UNC5174 and UNC302 operate within this model, and their operations provide insight into the initial access broker ecosystem leveraged by the MSS to target strategically interesting global organizations. Mandiant believes that UNC5174 will continue to pose a threat to organizations in the academic, NGO, and government sectors specifically in the United States, Canada, Southeast Asia, Hong Kong, and the United Kingdom.”

Mandiant gained access to the hacker’s infrastructure, discovering “aggressive scanning for vulnerabilities on internet-facing systems belonging to prominent universities in the U.S., Oceania, and Hong Kong regions.”

Mandiant couldn’t confirm if the hacker was successful, but they observed think tanks in the U.S. and Taiwan being targeted.

Researchers found that UNC5174 would create backdoors in compromised systems and then patch the vulnerability they used to break in. This behavior was one of the strangest things discovered.

Mandiant believes this was an attempt to prevent other hackers from accessing the system. They also found a hacker, UNC5174, claiming to have exploited CVE-2024-1709 at many organizations in the U.S. and Canada.

UNC5174 was previously tied to several China-based hacktivist collectives named “Dawn Calvary” and “Genesis Day” but allegedly left the groups at some point in 2023. The researchers said the hacker has also “claimed to be affiliated with the PRC MSS as an access broker and possible contractor who conducts for profit intrusions.”

In multiple dark web forums, the hacker explicitly claimed they were affiliated with MSS and had the backing of a Chinese government APT group. The organizations impacted by UNC5174’s campaign were “targeted concurrently by distinct known MSS access brokers UNC302” — another hacker that was indicted by the U.S. Justice Department in 2020.

“While definitive connections cannot be established at this time, Mandiant highlights that there are similarities between UNC5174 and UNC302, which suggests they operate within an MSS initial access broker landscape,” Mandiant said.

“These similarities suggest possible shared exploits and operational priorities between these threat actors, although further investigation is required for definitive attribution.”

Check Also

Chart

Minecraft Server faced 3.15 Billion Packet Rate DDoS Attack

Global Secure Layer (GSL) recently mitigated a huge volume of DDoS attack ever recorded. The …

Leave a Reply

Your email address will not be published. Required fields are marked *