One Article Review
| Source |  Mandiant |
|---|---|
| Identifiant | 8500403 |
| Date de publication | 2024-03-21 00:00:00 (vue: 2024-05-15 19:06:53) |
| Titre | Bringing Access Back - Initial Access Brokers Exploit F5 BIG-IP (CVE-2023-46747) and ScreenConnect |
| Texte | Written by: Michael Raggi, Adam Aprahamian, Dan Kelly, Mathew Potaczek, Marcin Siedlarz, Austin Larsen
During the course of an intrusion investigation in late October 2023, Mandiant observed novel N-day exploitation of CVE-2023-46747 affecting F5 BIG-IP Traffic Management User Interface. Additionally, in February 2024, we observed exploitation of Connectwise ScreenConnect CVE-2024-1709 by the same actor. This mix of custom tooling and the SUPERSHELL framework leveraged in these incidents is assessed with moderate confidence to be unique to a People\'s Republic of China (PRC) threat actor, UNC5174. Mandiant assesses UNC5174 (believed to use the persona "Uteus") is a former member of Chinese hacktivist collectives that has since shown indications of acting as a contractor for China\'s Ministry of State Security (MSS) focused on executing access operations. UNC5174 has been observed attempting to sell access to U.S. defense contractor appliances, UK government entities, and institutions in Asia in late 2023 following CVE-2023-46747 exploitation. In February 2024, UNC5174 was observed exploiting ConnectWise ScreenConnect vulnerability (CVE-2024-1709) to compromise hundreds of institutions primarily in the U.S. and Canada. Targeting and Timeline UNC5174 has been linked to widespread aggressive targeting and intrusions of Southeast Asian and U.S. research and education institutions, Hong Kong businesses, charities and non-governmental organizations (NGOs), and U.S. and UK government organizations during October and November 2023, as well as in February 2024. The actor appears primarily focused on executing access operations. Mandiant observed UNC5174 exploiting various vulnerabilities during this time. ConnectWise ScreenConnect Vulnerability CVE-2024-1709 F5 BIG-IP Configuration Utility Authentication Bypass Vulnerability CVE-2023-46747 Atlassian Confluence CVE-2023-22518 Linux Kernel Exploit CVE-2022-0185 Zyxel Firewall OS Command Injection Vulnerability CVE-2022-30525 Investigations revealed several instances of UNC5174 infrastructure, exposing the attackers\' bash command history. This history detailed artifacts of extensive reconnaissance, web application fuzzing, and aggressive scanning for vulnerabilities on internet-facing systems belonging to prominent universities in the U.S., Oceania, and Hong Kong regions. Additionally, key strategic targets like think tanks in the U.S. and Taiwan were identified; however, Mandiant does not have significant evidence to determine successful exploitation of these targets. 
Figure 1: UNC5174 global targeting map
Initial Disclosure of CVE-2023-46747
On Oct. 25, 2023, Praetorian published an advisory and proof-of-concept (PoC) for a zero-day (0-day) vulnerabil |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | $cc $memfdcreate $str* $str1 $str2 $str3 $str4 $str5 $str6 $xor99 &;ls **** /;show /bin/bash /common /dev/tcp/172 /download/v1 /etc/passwd /etc/shadow /mgmt/shared/authz/users/f5support3 /mgmt/tm/util/bash /root/mitigation /ss /tmp /tmp/ /tmp/ss /tmp/watchsys /tmp/watchsys;killall /tmp/watchsys;nohup /util /var/log/audit /var/log/restjavad 001 002 003 004 005 008 01420002:5: 0185 01:52:32 01:53:29 03:36:30 056 059 07:16:15 07:29:47 07:30:37 0951109dd1be0d84a33d52c135ba9c97 0>&1 0ba435460fb7622344eec28063274b8a 0x00004550 0x3c 0x464c457f 0x5a4d 0x99 0xbebafeca 0xcafebabe 0xcefaedfe 0xcffaedfe 0xfeedface 0xfeedfacf 104 110 110:8888 118 124 140 14:16:23 14:27:35: 14:53:29 14:53:36 151 154 1708 1709 172 17602 177 18778 2020 2022 2023 2024 22515 22518 239 242 245 28/10 30525 30629 36352 4/11/2023 443 46747 46747 affecting 5/app 5c175ea3664279d6c0c2609844de6949 73 74/443 74/app 74/lg;chmod 755 8602 8603 916 917 9269 9304 9c3bf506dd19c08c0ed3af9c1708a770 :200 |
| Tags | Malware Tool Vulnerability Threat Cloud |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.