Chinese government hacker exploiting ScreenConnect, F5 bugs to attack defense and government entities

Avatar

A hacker allegedly connected to the People’s Republic of China has been exploiting two popular vulnerabilities to attack U.S. defense contractors, U.K. government entities and institutions in Asia. 

A new report from Google-owned security firm Mandiant spotlighted the work of a threat actor they call UNC5174. The researchers believe UNC5174 is a former member of Chinese hacktivist collectives that has since shown indications of acting as a contractor for China’s Ministry of State Security (MSS) focused on executing access operations.

“In February 2024, UNC5174 was observed exploiting ConnectWise ScreenConnect vulnerability (CVE-2024-1709) to compromise hundreds of institutions primarily in the U.S. and Canada,” the researchers said. 

CVE-2024-1709 has caused alarm among cyber defenders since IT management software company ConnectWise warned its customers about the issue in February. The company confirmed that several customers had been compromised through the vulnerability and the top U.S. cybersecurity agency added it to a list of exploited bugs on February 22. 

ScreenConnect allows for secure remote desktop access and mobile device support, and researchers said it was being exploited by both cybercriminals and nation states. 

Mandiant said it also found UNC5174 exploiting CVE-2023-46747 — a vulnerability discovered in late October affecting F5 BIG-IP. These products — which include software and hardware — are used widely by companies to help keep their applications up and running. U.S. agencies confirmed last year that the bug was being exploited.

During the exploitation of both vulnerabilities, Mandiant says it saw a mix of custom tools and frameworks used to take advantage of the issues that were unique to UNC5174. 

According to Mandiant, the exploitation “demonstrates PRC-related threat actors’ systematized approach to achieving access to targets of strategic or political interest to the PRC.” 

“China-nexus actors continue to conduct vulnerability research on widely deployed edge appliances like F5 BIG-IP and ScreenConnect to enable espionage operations at scale. These operations often include rapid exploitation of recently disclosed vulnerabilities using custom or publicly available proof-of-concept exploits,” they said. 

“UNC5174 and UNC302 operate within this model, and their operations provide insight into the initial access broker ecosystem leveraged by the MSS to target strategically interesting global organizations. Mandiant believes that UNC5174 will continue to pose a threat to organizations in the academic, NGO, and government sectors specifically in the United States, Canada, Southeast Asia, Hong Kong, and the United Kingdom.”

UNC5174 has previously been linked to attacks on organizations across Southeast Asia, the U.S., Hong Kong and more. 

Mandiant gained access to the hacker’s infrastructure, discovering “aggressive scanning for vulnerabilities on internet-facing systems belonging to prominent universities in the U.S., Oceania, and Hong Kong regions.” 

While they were unable to confirm whether the hacker was successful, Mandiant also said they saw think tanks in the U.S. and Taiwan targeted. 

One of the strangest things the researchers found was that UNC5174 would create backdoors into compromised systems and then patch the vulnerability they used to break in.

Mandiant said it believes this was an “attempt to limit subsequent exploitation of the system by additional unrelated threat actors attempting to access the appliance.”

Mandiant explained that it also found posts on a forum from a hacker they believe to be UNC5174 claiming to have exploited CVE-2024-1709 at hundreds of organizations in the U.S. and Canada. 

UNC5174 was previously tied to several China-based hacktivist collectives named “Dawn Calvary” and “Genesis Day” but allegedly left the groups at some point in 2023. The researchers said the hacker has also “claimed to be affiliated with the PRC MSS as an access broker and possible contractor who conducts for profit intrusions.”

In multiple dark web forums, the hacker explicitly claimed they were affiliated with MSS and had the backing of a Chinese government APT group. The organizations impacted by UNC5174’s campaign were “targeted concurrently by distinct known MSS access brokers UNC302” — another hacker that was indicted by the U.S. Justice Department in 2020. 

“While definitive connections cannot be established at this time, Mandiant highlights that there are similarities between UNC5174 and UNC302, which suggests they operate within an MSS initial access broker landscape,” Mandiant said. 

“These similarities suggest possible shared exploits and operational priorities between these threat actors, although further investigation is required for definitive attribution.”

GovernmentCybercrimeChinaNewsNation-state
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.

 

Total
0
Shares
Previous Post

Exploring the surveillance partnership between the government and data brokers

Next Post

Chinese government hacker exploiting ScreenConnect, F5 bugs to attack defense and government entities

Related Posts

Researchers Discover Severe Security Flaws in Major E2EE Cloud Storage Providers

Cybersecurity researchers have discovered severe cryptographic issues in various end-to-end encrypted (E2EE) cloud storage platforms that could be exploited to leak sensitive data. "The vulnerabilities range in severity: in many cases a malicious server can inject files, tamper with file data, and even gain direct access to plaintext," ETH Zurich researchers Jonas Hofmann and Kien Tuong Truong
Avatar
Read More