Chinese Spies Sell Access into Top US, UK Networks

An anonymous reader shared this report from The Register: Chinese spies exploited a couple of critical-severity bugs in F5 and ConnectWise equipment earlier this year to sell access to compromised U.S. defense organizations, UK government agencies, and hundreds of other entities, according to Mandiant.

The Google-owned threat hunters said they assess, "with moderate confidence," that a crew they track as UNC5174 was behind the exploitation of CVE-2023-46747, a 9.8-out-of-10-CVSS-rated remote code execution bug in the F5 BIG-IP Traffic Management User Interface, and CVE-2024-1709, a path traversal flaw in ConnectWise ScreenConnect that scored a perfect 10 out of 10 CVSS severity rating.

UNC5174 uses the online persona Uteus, and has bragged about its links to China's Ministry of State Security (MSS) — boasts that may well be true. The gang focuses on gaining initial access into victim organizations and then reselling access to valuable targets... Just last month, Mandiant noticed the same combination of tools, believed to be unique to this particular Chinese gang, being used to exploit the ConnectWise flaw and compromise "hundreds" or entities, mostly in the U.S. and Canada. Also between October 2023 and February 2024, UNC5174 exploited CVE-2023-22518 in Atlassian Confluence, CVE-2022-0185 in Linux kernels, and CVE-2022-3052, a Zyxel Firewall OS command injection vulnerability, according to Mandiant.

These campaigns included "extensive reconnaissance, web application fuzzing, and aggressive scanning for vulnerabilities on internet-facing systems belonging to prominent universities in the U.S., Oceania, and Hong Kong regions," the threat intel team noted.
More details from The Record. "One of the strangest things the researchers found was that UNC5174 would create backdoors into compromised systems and then patch the vulnerability they used to break in. Mandiant said it believes this was an 'attempt to limit subsequent exploitation of the system by additional unrelated threat actors attempting to access the appliance.'"

"boasts that may well be true."

[Anonymous Coward]

Yeah, and I'm the Queen of England. It's just as believable as anything our "intelligence community" will tell you. Funny how all these backdoors our own government demands are being exploited by their adversaries, almost as if it was designed that way

Re:

[beheaderaswp]

In addition to putting it in their back pocket... they will report the vulnerability anytime another nation has the same exploit and are actively using it.

It's a two edge sword. They have a vulnerability they can exploit... and they can stop others form using the vulnerability when it's detected to be in the wild.

Damn that’s weak

[hdyoung]

When the NSA finds an exploit, they put it in their back pocket, they don’t tell anyone else, and don’t use it until they need it for a real spy project. Thus making it a useful tool for nation-vs-nation espionage. Which is exactly what I would expect a top-tier spy agency to do.

When Chinese state hackers find a useful exploit, apparently they... sell it to the highest bidder? Thus ensuring it’s prompt and widespread use, detection and patching, rendering the tool they just discovered quickly useless. All to make a few million bucks?

I’m sorry, that’s for amateur hour.

Re:

[HBI]

The F5 thing caused a lot of agita in the USG, that was about it. I'm pretty sure the Chinese didn't give up a zero day for agita.

It's a good reminder about what a near-peer conflict would look like. I'd expect global networks to be more or less down for a while as all the zero days compiled up are dumped out one by one to impede operations. A month or longer later, we might start being able to have reasonable conversations about the state of the world online. I wonder how the young folks will handle it

Re:Damn that’s weak

[gweihir]

Simple: These are not Chinese state-sponsored hackers. At best they are state-tolerated hackers, but they may just be seen as criminals (which they are) by the Chinese government as well. Maybe they are tolerated as long as they only hack the US, but looking closer, them selling apparently to anybody could also make them traitors to China.

Re:

[cusco]

Uh, oh, you're deviating from the Uniparty-designated enemy-hate, best listen for the knock on the door for your reeducation appointment.

Re:

[gweihir]

Naa, I am in Europe. We still have freedom of speech.

Re:

[bloodhawk]

calling them chinese spies is vastly exaggerated, more like chinese criminals that the government doesn't concern itself with. China is like everyone else, they don't share or sell their exploits when they can be reserved for themselves.

Re:

[LifesABeach]

curious.
what can one learn from this.
who, no pun intended, gets the money.
who is allowed to operate in possibly china.
what data is being offered.
could simple sun sue rules be applied here

Important question:

[Gravis Zero]

These campaigns included "extensive reconnaissance, web application fuzzing, and aggressive scanning for vulnerabilities on internet-facing systems belonging to prominent universities in the US, Oceania, and Hong Kong regions," the threat intel team noted.

Then why it isn't it a legal requirement for companies that sell this software to do the same?

Re:

[gweihir]

Come to think of it, "web application fuzzing, and aggressive scanning for vulnerabilities on internet-facing systems" is what any somewhat decently run IT organization does against itself, exactly to prevent these ElCheapo attacks. In fact, at one of the Universities I teach at, they do this as an event for the students (with rules, of course), with awards and recognition for the best results.

Spies do not sell access.

[gweihir]

What demented "reporting" is this? Spies use access for themselves. Criminals sell access and if these here sell to anyone, the Chinese administration may well see them as criminals as well, maybe even as traitors.

Not really spies then.

[Baron_Yam]

More like criminals who occasionally use a secret letter of marque.

Spies would only sell what they had obtained if required to fund an operation or as part of an operation. Neither of those options seem particularly likely here - the capabilities are too useful if kept in their hands alone, and hardly worth the political fallout if not.

Except of course, we're talking about espionage. Maybe this is just a way of 'proving' that this group isn't a direct tool of the CCP by selling their 2nd-tier access.

In my opinion, the best way to deal with foreign cyber-criminals is the same way you'd deal with a group of vigilantes firing weapons across a border... expect their host country to handle it or accept that the criminals are assumed to working for the government. And if that country feels it's appropriate to attack the infrastructure of another nation... that other nation should feel perfectly fine about retaliation.

Bragging

[manu0601]

UNC5174 uses the online persona Uteus, and has bragged about its links to China's Ministry of State Security (MSS)

Bragging (and reselling access as well) does not fit a state actor that attempts to remain undetected