Attacks exploiting the widely-known F5 BIG-IP and ConnectWise ScreenConnect vulnerabilities, tracked as CVE-2023-46747 and CVE-2024-1709, respectively, have been deployed by suspected Chinese state-backed threat actor UNC5174 since late last year, reports The Record, a news site by cybersecurity firm Recorded Future.
UNC5174, which is believed to be an ex-member of Chinese hacktivist groups Genesis Day and Dawn Calvary, leveraged CVE-2023-46747, to compromise U.S. defense contractors, UK government organizations, and Asian entities in October and November before infiltrating hundreds more organizations, most of which are in the U.S. and Canada, in intrusions exploiting CVE-2024-1709 last month, according to a report from Mandiant. Both attack campaigns involved the utilization of various custom tools and frameworks, as well as the immediate patching of exploited bugs upon successful backdoor injections in compromised systems, which may have been conducted to restrict further attacks by other threat actors, said researchers. Meanwhile, further examination of UNC5174 revealed similarities with Chinese Ministry of State Security-sponsored access broker UNC302, indicating "shared exploits and operational priorities between these threat actors," researchers added.
