High competition forces you to exploit 5 errors at once to gain access to corporate networks.
Mandiant report that Chinese hackers UNC5174 exploit vulnerabilities in popular products to distribute malware that can install additional backdoors on compromised Linux hosts.
The UNC5174 attacks targeted a wide range of targets, from research and educational institutions in Southeast Asia and the United States to businesses in Hong Kong, charities and non-governmental organizations, as well as government agencies in the United States and Great Britain between October and November 2023 and February 2024.
The main method of initial access was the use of known vulnerabilities in such systems as:
Successful penetration was followed by extensive intelligence and system scanning activities to identify security vulnerabilities. UNC5174 also created administrator accounts to perform malicious actions with elevated privileges.
The attackers arsenal includes the SNOWLIGHT loader (based on C), which is designed to deliver the payload of the next stage — the obfuscated GOREVERSE backdoor (based on Golang), which allows attackers to establish a reverse SSH tunnel and launch interactive shell sessions to execute arbitrary code. Tools for tunneling (GOHEAVY) and providing lateral movement in compromised networks (afrog, DirBuster, Metasploit, Sliver, and sqlmap)were also discovered
An interesting point was the attempt of hackers to take measures to mitigate the consequences of the vulnerability CVE-2023-46747 in order to prevent other attackers from using the same loophole. This step underscores the complexity and complexity of the campaign, where even hackers are forced to take steps to ensure "exclusivity" of access to compromised systems.
Mandiant suggests that UNC5174 may act as an Initial Access Broker (IAB) supported by the Chinese Ministry of State Security. Confirmation is an attempt to sell access to the systems of US defense contractors, UK government agencies and Asian institutions.
Mandiant report that Chinese hackers UNC5174 exploit vulnerabilities in popular products to distribute malware that can install additional backdoors on compromised Linux hosts.
The UNC5174 attacks targeted a wide range of targets, from research and educational institutions in Southeast Asia and the United States to businesses in Hong Kong, charities and non-governmental organizations, as well as government agencies in the United States and Great Britain between October and November 2023 and February 2024.
The main method of initial access was the use of known vulnerabilities in such systems as:
- Atlassian Confluence (CVE-2023-22518, CVSS score: 9.8);
- ConnectWise ScreenConnect (CVE-2024-1709, оценка CVSS: 10.0);
- F5 BIG-IP (CVE-2023-46747, CVSS score: 9.8);
- Linux Kernel (CVE-2022-0185, CVSS score: 8.4);
- Zyxel (CVE-2022-3052, CVSS score: 5.4).
Successful penetration was followed by extensive intelligence and system scanning activities to identify security vulnerabilities. UNC5174 also created administrator accounts to perform malicious actions with elevated privileges.
The attackers arsenal includes the SNOWLIGHT loader (based on C), which is designed to deliver the payload of the next stage — the obfuscated GOREVERSE backdoor (based on Golang), which allows attackers to establish a reverse SSH tunnel and launch interactive shell sessions to execute arbitrary code. Tools for tunneling (GOHEAVY) and providing lateral movement in compromised networks (afrog, DirBuster, Metasploit, Sliver, and sqlmap)were also discovered
An interesting point was the attempt of hackers to take measures to mitigate the consequences of the vulnerability CVE-2023-46747 in order to prevent other attackers from using the same loophole. This step underscores the complexity and complexity of the campaign, where even hackers are forced to take steps to ensure "exclusivity" of access to compromised systems.
Mandiant suggests that UNC5174 may act as an Initial Access Broker (IAB) supported by the Chinese Ministry of State Security. Confirmation is an attempt to sell access to the systems of US defense contractors, UK government agencies and Asian institutions.
