Chinese State-Linked Hackers Target Critical Systems; Exploit F5 and ScreenConnect Flaws

UNC5174

A newly uncovered threat actor designated UNC5174 is behind a series of targeted intrusions exploiting zero-day and recently patched vulnerabilities, according to a detailed report by Mandiant. The group’s activity indicates both technical prowess and a focus on high-value organizations, particularly in the government, defense, and academic sectors.

UNC5174

UNC5174: A Profile

Mandiant assesses with moderate confidence that UNC5174 operates as an initial access broker for the Chinese MSS. This means they specialize in gaining unauthorized entry into networks and then selling that access to other parties, likely state-backed hacking groups with more specialized goals.

The UNC5174 group appears to have evolved from past affiliations with Chinese hacktivist collectives. They display a pattern of rapid vulnerability research and exploit development, targeting widely used network appliances like F5 BIG-IP and Connectwise ScreenConnect.

Tactics and Techniques

  • Exploit Focus: The group demonstrates a clear intent to capitalize on both zero-day vulnerabilities (like CVE-2023-46747) and those with recently released patches (like CVE-2024-1709), underscoring the importance of immediate patching.
  • Custom and Open-Source Tools: UNC5174’s toolset is a mix of custom-developed malware (e.g., SNOWLIGHT, GOREVERSE, GOHEAVY) and publicly available penetration testing tools. This blend allows them to be both stealthy and adaptable.
  • Post-Exploitation Actions: Upon gaining access, they create new administrator accounts, download and execute malware designed to evade detection, and establish hidden communication channels for further network exploration.

Attack History and Targets

  • October 2023: UNC5174’s initial zero-day exploitation of the F5 BIG-IP vulnerability targeted government entities in the US and UK. Mandiant assesses they were specifically focused on the defense industry.
  • February 2024: The Connectwise ScreenConnect vulnerability was exploited on a large scale, compromising hundreds of organizations with a concentration in North America. Broader targeting suggests access was being brokered to potentially multiple clients.
  • Other Targets: While the Mandiant report focuses on these major incidents, evidence suggests UNC5174 has also targeted Southeast Asian and Hong Kong institutions, as well as think tanks in the US and Taiwan.

Implications

The UNC5174 intrusions highlight the continued threat posed by Chinese state-sponsored hackers. Organizations need to prioritize:

  • Rapid Patching: Apply security patches for critical vulnerabilities as soon as they are released.
  • Network Monitoring: Implement robust network monitoring to detect signs of compromise.
  • Threat Intelligence: Stay informed about the latest tactics and techniques of threat actors like UNC5174.