InfoSecBulletin Cybersecurity for mankind
Hacker allegedly exploiting two popular vulnerabilities to attack U.S. defense contractors, U.K. government entities and institutions in Asia, according to new report by Google owned security firm Mandiant.
The report focused on UNC5174, a threat actor. According to Mandiant, UNC5174 used to be a member of Chinese hacktivist groups. However, they now seem to be working as a contractor for China’s Ministry of State Security (MSS), specifically handling access operations.
Phoenix Summit 2024: Elevating Cyber security, Impact and Vision
ALERT: SEKOIA REPORT
PlugX Malware Plagues Over 90k IP Addresses over 170 countries
Palo Alto network shared latest remediation of CVE-2024-3400
CISA Launches Ransomware Vulnerability Warning Pilot for Critical Infrastructure
WhatsApp warns India to exit, If…
Fake e-mail of Rajshahi Univ VC’ name-picture, sending messages
Bad actor threat to expose BSNL 2.9 million data
India’s ICICI Bank exposed thousands of credit cards to ‘wrong’ users
CISA Releases Eight Industrial Control Systems Advisories
Google fixed critical Chrome vulnerability CVE-2024-4058
“In February 2024, UNC5174 was observed exploiting ConnectWise ScreenConnect vulnerability (CVE-2024-1709) to compromise hundreds of institutions primarily in the U.S. and Canada,” the researchers said.
CVE-2024-1709 has alarmed cyber defenders after ConnectWise warned its customers in February. The company confirmed that some customers were compromised through the vulnerability, leading the top U.S. cybersecurity agency to add it to a list of exploited bugs on February 22.
ScreenConnect is a tool that allows secure remote desktop access and support for mobile devices. It has been targeted by cybercriminals and nation states for exploitation.
Mandiant said it also found UNC5174 exploiting CVE-2023-46747 — a vulnerability discovered in late October affecting F5 BIG-IP. These products — which include software and hardware — are used widely by companies to help keep their applications up and running. U.S. agencies confirmed last year that the bug was being exploited.
The vulnerability in F5 BIG-IP was added to the list of exploited bugs on February 22, which allowed cybercriminals and nation states to target the ScreenConnect tool for exploitation. These products, used widely by companies for maintaining the functionality of their applications, have been under threat of exploitation, as confirmed by U.S. agencies last year.
Mandiant observed a combination of custom tools and frameworks being used to exploit the vulnerabilities in UNC5174.
According to Mandiant, the exploitation “demonstrates PRC-related threat actors’ systematized approach to achieving access to targets of strategic or political interest to the PRC.”
“China-nexus actors continue to conduct vulnerability research on widely deployed edge appliances like F5 BIG-IP and ScreenConnect to enable espionage operations at scale. These operations often include rapid exploitation of recently disclosed vulnerabilities using custom or publicly available proof-of-concept exploits,” they said.
“UNC5174 and UNC302 operate within this model, and their operations provide insight into the initial access broker ecosystem leveraged by the MSS to target strategically interesting global organizations. Mandiant believes that UNC5174 will continue to pose a threat to organizations in the academic, NGO, and government sectors specifically in the United States, Canada, Southeast Asia, Hong Kong, and the United Kingdom.”
Mandiant gained access to the hacker’s infrastructure, discovering “aggressive scanning for vulnerabilities on internet-facing systems belonging to prominent universities in the U.S., Oceania, and Hong Kong regions.”
Mandiant couldn’t confirm if the hacker was successful, but they observed think tanks in the U.S. and Taiwan being targeted.
Researchers found that UNC5174 would create backdoors in compromised systems and then patch the vulnerability they used to break in. This behavior was one of the strangest things discovered.
Mandiant believes this was an attempt to prevent other hackers from accessing the system. They also found a hacker, UNC5174, claiming to have exploited CVE-2024-1709 at many organizations in the U.S. and Canada.
UNC5174 was previously tied to several China-based hacktivist collectives named “Dawn Calvary” and “Genesis Day” but allegedly left the groups at some point in 2023. The researchers said the hacker has also “claimed to be affiliated with the PRC MSS as an access broker and possible contractor who conducts for profit intrusions.”
In multiple dark web forums, the hacker explicitly claimed they were affiliated with MSS and had the backing of a Chinese government APT group. The organizations impacted by UNC5174’s campaign were “targeted concurrently by distinct known MSS access brokers UNC302” — another hacker that was indicted by the U.S. Justice Department in 2020.
“While definitive connections cannot be established at this time, Mandiant highlights that there are similarities between UNC5174 and UNC302, which suggests they operate within an MSS initial access broker landscape,” Mandiant said.
“These similarities suggest possible shared exploits and operational priorities between these threat actors, although further investigation is required for definitive attribution.”
