A threat actor has been “aggressively” exploiting a number of known vulnerabilities in order to target U.S. government organizations, research and education institutions.
The threat actor, tracked by researchers under UNC5174, was first observed exploiting a known flaw in the F5 BIG-IP traffic management user interface (CVE-2023-46747), and as recently as February it was seen exploiting the known ConnectWise ScreenConnect bug (CVE-2024-1709). The threat actor was seen targeting various other vulnerabilities between October and February, including ones in Atlassian Confluence (CVE-2023-22518), Linux Kernel (CVE-2022-0185) and Zyxel Firewall OS (CVE-2022-3052).
“Investigations revealed several instances of UNC5174 infrastructure, exposing the attackers' bash command history,” said researchers with Mandiant in a Thursday analysis. “This history detailed artifacts of extensive reconnaissance, web application fuzzing, and aggressive scanning for vulnerabilities on internet-facing systems belonging to prominent universities in the U.S., Oceania, and Hong Kong regions.”
Post exploitation, the attackers would create administrative user accounts before downloading and executing a series of first- and second-stage malware families (tracked as Snowlight and Goreverse by researchers), which eventually lead to the download of a payload associated with the Supershell framework, a publicly available C2 framework that’s published on GitHub. These malware families were used to perform internal reconnaissance of compromised environments among other activities. The threat group also used an obfuscated Golang-based tool called GoHeavy in order to manage traffic routing functionalities.
“Mandiant observed GOHEAVY engaging in simultaneous communication with an external C2 server operated by SUPERSHELL administrators while opening and listening on a vast number of local UDP ports,” said researchers. “Interestingly, GOHEAVY continuously broadcasts the string ‘SpotUdp’ to existing network interfaces. This behavior suggests the tool's purpose lies in establishing covert communication channels and potentially facilitating lateral movement within compromised networks. The continuous ‘SpotUdp’ broadcast might serve as a beacon for identifying other compromised machines running GOHEAVY within the same network.”
“China-nexus actors continue to conduct vulnerability research on widely deployed edge appliances like F5 BIG-IP and ScreenConnect to enable espionage operations at scale."
Researchers also observed threat actors attempting to self-patch the F5 BIG-IP vulnerability they had exploited with an F5-provided mitigation script, likely in an attempt to block out other threat actors attempting to access the appliance.
Researchers assessed with “moderate confidence” that the custom tooling and Supershell framework that were used in the incidents are uniquely leveraged by PRC threat actor UNC5174, and that the group is targeting the flaws in order to establish access and then sell that access to various defense contractor appliances, governments and more.
The group is a former member of a Chinese hacktivist collective and has since shown clues of being a contractor for China’s Ministry of State Security (MSS), said researchers. Overall, the campaign is indicative of how Chinese threat actors are getting better at rapidly exploiting recently disclosed flaws in widely deployed commercial products.
“China-nexus actors continue to conduct vulnerability research on widely deployed edge appliances like F5 BIG-IP and ScreenConnect to enable espionage operations at scale," said researchers. "These operations often include rapid exploitation of recently disclosed vulnerabilities using custom or publicly available proof-of-concept exploits.”
Researchers say organizations can best protect themselves from these types of attacks by taking remediation and hardening actions for impacted F5 appliances, as well as applying patches for the vulnerabilities across ConnectWise ScreenConnect instances and other targeted products.