March 22, 2024 at 06:07PM
Chinese spies exploited critical-severity bugs in F5 and ConnectWise equipment to gain access to US defense organizations, UK government agencies, and other entities, according to Mandiant. The exploits were attributed to a group known as UNC5174, who also targeted other vulnerabilities and used custom software and a remote command-and-control framework called SUPERSHELL for their activities.
Based on the meeting notes, it is clear that Mandiant has identified a cyber espionage campaign carried out by a Chinese threat actor group designated as UNC5174. The group has been exploiting critical vulnerabilities in various software and hardware systems, including F5, ConnectWise, Atlassian Confluence, Linux kernels, and Zyxel Firewall OS.
UNC5174, believed to be linked to China’s Ministry of State Security (MSS), focuses on gaining initial access into victim organizations and then reselling access to valuable targets. The group employs custom software and a remote command-and-control framework called SUPERSHELL to exploit vulnerabilities and compromise numerous entities, with a specific focus on targets of strategic or political interest to the People’s Republic of China (PRC).
Mandiant’s threat intelligence report provides indicators of compromise and other useful details for network defenders. The espionage activities of UNC5174 pose a significant threat to academic, government, and NGO groups in the US, UK, Canada, Southeast Asia, and Hong Kong. It is advised that organizations review the Mandiant reports to enhance their network security and defense against these threat actors.