An nameless reader shared this report from The Register:
Chinese language spies exploited a few critical-severity bugs in F5 and ConnectWise gear earlier this yr to promote entry to compromised U.S. protection organizations, UK authorities businesses, and tons of of different entities, based on Mandiant.
The Google-owned menace hunters stated they assess, “with average confidence,” {that a} crew they observe as UNC5174 was behind the exploitation of CVE-2023-46747, a 9.8-out-of-10-CVSS-rated distant code execution bug within the F5 BIG-IP Visitors Administration Person Interface, and CVE-2024-1709, a path traversal flaw in ConnectWise ScreenConnect that scored an ideal 10 out of 10 CVSS severity ranking.
UNC5174 makes use of the net persona Uteus, and has bragged about its hyperlinks to China’s Ministry of State Safety (MSS) — boasts that could be true. The gang focuses on gaining preliminary entry into sufferer organizations after which reselling entry to priceless targets… Simply final month, Mandiant seen the identical mixture of instruments, believed to be distinctive to this specific Chinese language gang, getting used to use the ConnectWise flaw and compromise “tons of” or entities, largely within the U.S. and Canada. Additionally between October 2023 and February 2024, UNC5174 exploited CVE-2023-22518 in Atlassian Confluence, CVE-2022-0185 in Linux kernels, and CVE-2022-3052, a Zyxel Firewall OS command injection vulnerability, based on Mandiant.
These campaigns included “in depth reconnaissance, internet software fuzzing, and aggressive scanning for vulnerabilities on internet-facing methods belonging to distinguished universities within the U.S., Oceania, and Hong Kong areas,” the menace intel group famous.
Extra particulars from The Document. “One of many strangest issues the researchers discovered was that UNC5174 would create backdoors into compromised methods after which patch the vulnerability they used to interrupt in. Mandiant stated it believes this was an ‘try to restrict subsequent exploitation of the system by further unrelated menace actors trying to entry the equipment.'”
