Chinese government hacker exploiting ScreenConnect, F5 bugs to attack defense and government entities

A hacker allegedly connected to the People's Republic of China has been exploiting two popular vulnerabilities to attack U.S. defense contractors, U.K. government entities and institutions in Asia. 

A new report from Google-owned security firm Mandiant spotlighted the work of a threat actor they call UNC5174. The researchers believe UNC5174 is a former member of Chinese hacktivist collectives that has since shown indications of acting as a contractor for China's Ministry of State Security (MSS) focused on executing access operations.

“In February 2024, UNC5174 was observed exploiting ConnectWise ScreenConnect vulnerability (CVE-2024-1709) to compromise hundreds of institutions primarily in the U.S. and Canada,” the researchers said. 

CVE-2024-1709 has caused alarm among cyber defenders since IT management software company ConnectWise warned its customers about the issue in February. The company confirmed that several customers had been compromised through the vulnerability and the top U.S. cybersecurity agency added it to a list of exploited bugs on February 22. 

ScreenConnect allows for secure remote desktop access and mobile device support, and researchers said it was being exploited by both cybercriminals and nation states. 

Mandiant said it also found UNC5174 exploiting CVE-2023-46747 — a vulnerability discovered in late October affecting F5 BIG-IP. These products — which include software and hardware — are used widely by companies to help keep their applications up and running. U.S. agencies confirmed last year that the bug was being exploited.

During the exploitation of both vulnerabilities, Mandiant says it saw a mix of custom tools and frameworks used to take advantage of the issues that were unique to UNC5174. 

According to Mandiant, the exploitation “demonstrates PRC-related threat actors' systematized approach to achieving access to targets of strategic or political interest to the PRC.” 

“China-nexus actors continue to conduct vulnerability research on widely deployed edge appliances like F5 BIG-IP and ScreenConnect to enable espionage operations at scale. These operations often include rapid exploitation of recently disclosed vulnerabilities using custom or publicly available proof-of-concept exploits,” they said. 

“UNC5174 and UNC302 operate within this model, and their operations provide insight into the initial access broker ecosystem leveraged by the MSS to target strategically interesting global organizations. Mandiant believes that UNC5174 will continue to pose a threat to organizations in the academic, NGO, and government sectors specifically in the United States, Canada, Southeast Asia, Hong Kong, and the United Kingdom.”

UNC5174 has previously been linked to attacks on organizations across Southeast Asia, the U.S., Hong Kong and more. 

Mandiant gained access to the hacker’s infrastructure, discovering “aggressive scanning for vulnerabilities on internet-facing systems belonging to prominent universities in the U.S., Oceania, and Hong Kong regions.” 

While they were unable to confirm whether the hacker was successful, Mandiant also said they saw think tanks in the U.S. and Taiwan targeted. 

One of the strangest things the researchers found was that UNC5174 would create backdoors into compromised systems and then patch the vulnerability they used to break in.

Mandiant said it believes this was an “attempt to limit subsequent exploitation of the system by additional unrelated threat actors attempting to access the appliance.”

Mandiant explained that it also found posts on a forum from a hacker they believe to be UNC5174 claiming to have exploited CVE-2024-1709 at hundreds of organizations in the U.S. and Canada. 

UNC5174 was previously tied to several China-based hacktivist collectives named "Dawn Calvary" and "Genesis Day” but allegedly left the groups at some point in 2023. The researchers said the hacker has also “claimed to be affiliated with the PRC MSS as an access broker and possible contractor who conducts for profit intrusions.”

In multiple dark web forums, the hacker explicitly claimed they were affiliated with MSS and had the backing of a Chinese government APT group. The organizations impacted by UNC5174’s campaign were “targeted concurrently by distinct known MSS access brokers UNC302” — another hacker that was indicted by the U.S. Justice Department in 2020. 

“While definitive connections cannot be established at this time, Mandiant highlights that there are similarities between UNC5174 and UNC302, which suggests they operate within an MSS initial access broker landscape,” Mandiant said. 

“These similarities suggest possible shared exploits and operational priorities between these threat actors, although further investigation is required for definitive attribution.”