Researchers have observed that the threat actors linked to China’s Ministry of State Security (MSS) exploited known bugs in popular edge appliances to compromise hundreds of organizations, including U.S. and UK government entities.
Tracked as UNC5174, has been particularly active exploiting a ConnectWise ScreenConnect vulnerability, CVE-2024-1709, and a critical bug in F5 BIG-IP, CVE-2023-46747.
UNC5174 also referred as “Uteus” by Mandiant— was a former member of Chinese hacktivist collectives. They now appeared to be working as a contractor for the MSS and their focus was gaining initial access to target organizations.
China-nexus actors continue to conduct vulnerability research on widely deployed edge appliances like F5 BIG-IP and ScreenConnect to enable espionage operations at scale. These operations often include rapid exploitation of recently disclosed vulnerabilities using custom or publicly available proof-of-concept (PoC) exploits.
Mandiant observed the threat actor compromising BIG-IP appliances within days of a PoC being released in late October last year. After gaining access, the hacker was seen creating new backdoor accounts on the compromised appliances.
UNC5174 then attempted to self-patch the vulnerability they had exploited to gain access. Patching was attempted using a mitigation script supplied by F5. The researchers said they believed the hacker was trying “to limit subsequent exploitation of the system by additional unrelated threat actors attempting to access the appliance.”
Last month, as several threat groups including the Play and LockBit ransomware gangs took advantage of the ScreenConnect bug. “Uteus” claimed in dark web forum posts to have successfully exploited the vulnerability to compromise hundreds of organizations globally, primarily in the U.S. and Canada.
Mandiant believes that UNC5174 will continue to pose a threat to organizations in the academic, NGO, and government sectors specifically in the United States, Canada, Southeast Asia, Hong Kong, and the United Kingdom.
