China-Linked Group Breaches Networks via Connectwise, F5 Software Flaws

China-Linked Group Breaches Networks via Connectwise, F5 Software Flaws

March 22, 2024 at 08:33AM

A China-linked threat group utilized security flaws in Connectwise ScreenConnect and F5 BIG-IP to distribute custom malware for creating backdoors on compromised Linux hosts. The group, tracked as UNC5174, has targeted various organizations, including research institutions and government entities in the U.S. and U.K. They have also been observed trying to sell access to defense contractor appliances.

From the meeting notes, it is clear that a China-linked threat cluster has been active in leveraging security flaws in various software to conduct aggressive cyber campaigns. The threat actor, tracked under the name UNC5174 (aka Uteus or Uetus), has targeted a range of organizations and government entities in Southeast Asia, the US, and the UK.

The threat actor gains initial access through known security vulnerabilities in software such as Atlassian Confluence, ConnectWise ScreenConnect, F5 BIG-IP, Linux Kernel, and Zyxel. Once inside the compromised networks, extensive reconnaissance and scanning activities follow, often resulting in the creation of administrative user accounts and the deployment of malicious payloads such as the SNOWLIGHT downloader and the GOREVERSE backdoor.

The threat actor also makes use of various tools and frameworks, including SUPERSHELL, GOHEAVY, and others, to facilitate lateral movement and execute arbitrary code within the compromised environments. It’s worth noting that the threat actor has been observed applying mitigations for a specific security loophole, possibly to prevent other adversaries from exploiting the same vulnerability.

Mandiant’s assessment suggests that UNC5174 may be acting as an initial access broker, with evidence indicating attempts to sell access to compromised environments to entities such as U.S. defense contractors and U.K. government organizations. There are also indications of similarities and possibly shared exploits between UNC5174 and another threat actor referred to as UNC302, signaling a potential connection within the MSS initial access broker landscape.

Additionally, the meeting notes mention that the MSS has warned of an unnamed foreign hacking group infiltrating Chinese organizations using phishing emails and known security vulnerabilities.

Overall, the meeting notes provide a comprehensive overview of the cyber threat landscape involving this China-linked threat cluster, highlighting their tactics, targets, and potential connections to state-sponsored activities.

Full Article