Skip links

Chinese snoops use F5, ConnectWise bugs to sell access into top US, UK networks

Chinese spies exploited a couple of critical-severity bugs in F5 and ConnectWise equipment earlier this year to sell access to compromised US defense organizations, UK government agencies, and hundreds of other entities, according to Mandiant.

The Google-owned threat hunters said they assess, “with moderate confidence,” that a crew they track as UNC5174 was behind the exploitation of CVE-2023-46747, a 9.8-out-of-10-CVSS-rated remote code execution bug in the F5 BIG-IP Traffic Management User Interface, and CVE-2024-1709, a path traversal flaw in ConnectWise ScreenConnect that scored a perfect 10 out of 10 CVSS severity rating.

UNC5174 uses the online persona Uteus, and has bragged about its links to China’s Ministry of State Security (MSS) – boasts that may well be true. The gang focuses on gaining initial access into victim organizations and then reselling access to valuable targets.

During the course of its investigation into the F5 and ConnectWise exploits, Mandiant found UNC5174 could indeed be working as a contractor for MSS as an initial access broker.

“The actor claimed MSS affiliation in dark web forums, claiming tacit backing of an unspecified MSS-related APT actor,” Mandiant’s Michael Raggi, Adam Aprahamian, Dan Kelly, Mathew Potaczek, Marcin Siedlarz, and Austin Larsen wrote in a Thursday threat-intel report. 

“Additionally, the impacted organizations targeted by UNC5174, including US defense and UK government entities, were targeted concurrently by distinct known MSS access brokers UNC302, which were previously indicted by the US Department of Justice in 2020,” the team added.

The Chinese crew uses custom software, as well as a remote command-and-control (C2) framework dubbed SUPERSHELL, to exploit F5’s BIG-IP bug in October and hijack devices from across the internet. After abusing this flaw to break into a host of networks, UNC5174 then tried to sell access to US defense contractor appliances, UK government entities, and institutions in Asia, it’s claimed.

Just last month, Mandiant noticed the same combination of tools, believed to be unique to this particular Chinese gang, being used to exploit the ConnectWise flaw and compromise “hundreds” or entities, mostly in the US and Canada.

Also between October 2023 and February 2024, UNC5174 exploited CVE-2023-22518 in Atlassian Confluence, CVE-2022-0185 in Linux kernels, and CVE-2022-3052, a Zyxel Firewall OS command injection vulnerability, according to Mandiant.

These campaigns included “extensive reconnaissance, web application fuzzing, and aggressive scanning for vulnerabilities on internet-facing systems belonging to prominent universities in the US, Oceania, and Hong Kong regions,” the threat intel team noted. 

The Beijing-backed attacker also apparently targeted think tanks in the US and Taiwan, but Mandiant says it doesn’t have enough evidence to determine successful exploitation.

After gaining access to their victims, the espionage crew creates admin accounts to run malicious commands after elevating privileges. This includes running a 64-bit ELF downloader Mandiant named SNOWLIGHT.

SNOWLIGHT, which is written in C and runs on Linux systems, brings Golang-based backdoors GOHEAVY and GOREVERSE onto compromised appliances. This allows miscreants to get in via reverse SSH shells, connect with the C2 infrastructure hosting SUPERSHELL, and download and execute more malicious code.

“China-nexus actors continue to conduct vulnerability research on widely deployed edge appliances like F5 BIG-IP and ScreenConnect to enable espionage operations at scale,” Mandiant warns.

UNC5174 in particular continues to pose a threat to “targets of strategic or political interest to the PRC,” the threat hunters said. Specifically, this includes academic, government, and NGO groups in the US, UK, Canada, Southeast Asia and Hong Kong.

See the Mandiant reports for indicators of compromise and other useful details for network defenders. ®