cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Chinese-backed hacker observed exploiting F5 BIG-IP and ScreenConnect bugs

Security researchers believe the hacker is a contractor with China’s Ministry of State Security and is targeting “hundreds” of entities in Australia, Canada, and the US.

user icon David Hollingworth
Fri, 22 Mar 2024
Chinese-backed hacker observed exploiting F5 BIG-IP and ScreenConnect bugs
expand image

A hacker with probable links to China’s Ministry of State Security has been observed taking advantage of a raft of vulnerabilities to sell access to systems throughout Asia and North America.

Researchers at security company Mandiant believe the hacker – dubbed UNC5174 by Mandiant but possibly going by the nom de guerre Uteus – used to be a part of a larger hacking collective but is now operating as an independent access broker.

UNC5174 primarily takes advantage of bugs in Connectwise ScreenConnect and the F5 BIG-IP Traffic Management User Interface but has also been seen using vulnerabilities in Atlassian Confluence and Zyxel Firewall OS, as well as a Linux kernel exploit. However, the hacker is less interested in exfiltrating data themselves and is instead selling their access to other entities in China.


“Investigations revealed several instances of UNC5174 infrastructure, exposing the attackers’ bash command history,” Mandiant’s researchers said in a blog post.

“This history detailed artifacts of extensive reconnaissance, web application fuzzing, and aggressive scanning for vulnerabilities on internet-facing systems belonging to prominent universities in the US, Oceania, and Hong Kong regions. Additionally, key strategic targets like think tanks in the US and Taiwan were identified; however, Mandiant does not have significant evidence to determine successful exploitation of these targets.”

What Mandiant has observed, however, is UNC5174 creating new accounts on compromised systems, running a series of bash commands, and installing a downloader, which Mandiant has called SNOWLIGHT. This downloader delivers a payload directly into a machine’s memory without it ever being written to disk. This creates a shell backdoor, called GOREVERSE, which connects to the hacker’s open command and control infrastructure.

UNC5174 has been seen to deploy several other tools, but one curious thing Mandiant has spotted is the hacker then patching the vulnerability that let them into the system in the first place. According to Mandiant, this is likely an “attempt to limit subsequent exploitation of the system by additional unrelated threat actors attempting to access the appliance”.

Most of UNC5174’s targets are in North America and Canada, but between 11 and 20 Australian entities have also been targeted, mostly between late 2023 and February 2024.

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

cd intro podcast

Introducing Cyber Daily, the new name for Cyber Security Connect

Click here to learn all about it
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.