A China-linked threat cluster exploited security flaws in Connectwise ScreenConnect and F5 BIG-IP software to deliver custom malware capable of providing additional backdoors on compromised Linux hosts as part of an “aggressive” campaign.
Mandiant, owned by Google, is tracking the activity under its uncategorized moniker UNC5174 (also known as Uteus or Uetus), describing him as a “former member of Chinese hacktivist collectives who has since shown indications of acting as a contractor for China’s Ministry of State Security (MSS) focused on executing access operations” .
The threat actor is believed to have orchestrated widespread attacks against research and education institutions in Southeast Asia and the United States, businesses in Hong Kong, charities and non-governmental organizations (NGOs), and government organizations in the United States and of the UK between October and November 2023, and again in February. 2024 using the ScreenConnect bug.
Initial access to target environments is facilitated by exploiting known security flaws in Atlassian Confluence (CVE-2023-22518), ConnectWise ScreenConnect (CVE-2024-1709), F5 BIG-IP (CVE-2023-46747), Linux Kernel (CVE-2022-0185) and Zyxel (CVE-2022-3052).
A successful foothold is followed by extensive reconnaissance and scanning of Internet-connected systems for security vulnerabilities, with UNC5174 also creating administrative user accounts to perform malicious actions with elevated privileges, including deleting a C-based ELF downloader named SNOWLIGHT.
SNOWLIGHT is designed to download the next stage payload, an obfuscated Golang backdoor called GOREVERSE, from a remote URL related to SUPERSHELL, an open source command and control (C2) framework that allows attackers to establish a reverse SSH tunnel and initiate sessions of interactive shells to execute arbitrary code.
The threat actor also uses a Golang-based tunneling tool known as GOHEAVY, which is likely used to facilitate lateral movement within compromised networks, as well as other programs such as afrog, DirBuster, Metasploit, Sliver, and sqlmap.
In an unusual case spotted by the threat intelligence firm, threat actors were found to apply mitigations for CVE-2023-46747 in a likely attempt to prevent other unrelated adversaries from weaponizing the same loophole to gain access .
“UNC5174 (aka Uteus) was previously a member of the Chinese hacktivist collective ‘Dawn Calvary’ and collaborated with ‘Genesis Day’https://thehackernews.com/”Xiaoqiying’ and ‘Teng Snake,'” Mandiant assessed. “It appears that this individual left these groups in mid-2023 and has since focused on executing access operations with the intention of brokering access to compromised environments.”
There is evidence to suggest that the threat actor may be an initial access broker and have the backing of MSS, given their purported claims in dark web forums. This is reinforced by the fact that some US defense and UK government entities were simultaneously targeted by another access broker called UNC302.
The findings once again highlight Chinese state groups’ ongoing efforts to breach edge appliances by rapidly co-opting recently revealed vulnerabilities into their arsenal in order to conduct large-scale cyber espionage operations.
“UNC5174 was observed attempting to sell access to equipment of US defense contractors, UK government entities, and institutions in Asia in late 2023 following exploitation of CVE-2023-46747,” researchers at Mandant.
“There are similarities between UNC5174 and UNC302, suggesting that they operate within an MSS initial access broker landscape. These similarities suggest possible shared exploits and operational priorities between these threat actors, although further investigation is needed for attribution definitive.”
The disclosure comes as the MSS warned that an unnamed foreign hacking group had infiltrated “hundreds” of Chinese corporate and government organizations by exploiting phishing emails and known security bugs to breach networks. It did not reveal the name or origin of the threat actor.