A hacker linked to China’s Ministry of State Security (MSS) exploited known bugs in popular edge appliances to compromise hundreds of organizations, including U.S. and UK government entities.
Researchers said the campaign demonstrated how threat actors tied to the People’s Republic of China (PRC) were taking a systematic approach to attacking targets of strategic or political interest to the PRC.
The hacker, tracked by Mandiant as UNC5174, has been particularly active exploiting a maximum severity ConnectWise ScreenConnect vulnerability, CVE-2024-1709, and a critical bug in F5 BIG-IP, CVE-2023-46747.
In a recent post, Mandiant researchers said UNC5174 — who has referred to themselves as “Uteus” — was a former member of Chinese hacktivist collectives. They now appeared to be working as a contractor for the MSS and their focus was gaining initial access to target organizations.
The hacker was linked to “widespread aggressive targeting and intrusions” over recent months. As well as attacking U.S. and UK government targets, UNC5174 went after Southeast Asian and U.S. research and education institutions, as well as Hong Kong businesses, charities, and non-governmental organizations.
“China-nexus actors continue to conduct vulnerability research on widely deployed edge appliances like F5 BIG-IP and ScreenConnect to enable espionage operations at scale,” the researchers said.
“These operations often include rapid exploitation of recently disclosed vulnerabilities using custom or publicly available proof-of-concept (PoC) exploits.”
PoCs were available for both the ScreenConnect and BIG-IP bugs exploited by UNC5174.
Hacker closes the door behind them
Mandiant observed the threat actor compromising BIG-IP appliances within days of a PoC being released in late October last year.
After gaining access, the hacker was seen creating new backdoor accounts on the compromised appliances.
In what the researchers described as an unusual next step, UNC5174 then attempted to “self-patch” the vulnerability they had exploited to gain access. Patching was attempted using a mitigation script supplied by F5.
The researchers said they believed the hacker was trying “to limit subsequent exploitation of the system by additional unrelated threat actors attempting to access the appliance.”
Last month, as several threat groups — including the Play and LockBit ransomware gangs — took advantage of the ScreenConnect bug. “Uteus” claimed in dark web forum posts to have successfully exploited the vulnerability to compromise hundreds of organizations globally, primarily in the U.S. and Canada.
The Mandiant researchers said they saw evidence UNC5174/Uteus added a “cvetest” admin user to ScreenConnect instances belonging to “numerous” organizations.
“Mandiant believes that UNC5174 will continue to pose a threat to organizations in the academic, NGO, and government sectors specifically in the United States, Canada, Southeast Asia, Hong Kong, and the United Kingdom,” they said.