Bringing Access Back — Initial Access Brokers Exploit F5 BIG-IP (CVE-2023-46747) and ScreenConnect

Mandiant's investigation reveals a sophisticated cyber threat campaign attributed to a Chinese threat actor group named UNC5174, also known by the alias "Uteus." The group employs a combination of novel and known vulnerabilities to target a wide range of organizations globally, including U.S. defense contractors, government entities, research institutions, and NGOs. The campaign involves exploiting vulnerabilities such as CVE-2023-46747 affecting F5 BIG-IP and CVE-2024-1709 affecting ConnectWise ScreenConnect. UNC5174 is believed to operate as a contractor for China's Ministry of State Security (MSS), focusing on initial access operations.

Security Officer Comments:
UNC5174 demonstrates a high level of sophistication in its operations, utilizing a mix of custom tools and publicly available frameworks like SUPERSHELL. The group's tactics, techniques, and procedures (TTPs) include extensive reconnaissance, vulnerability scanning, and post-exploitation activities aimed at establishing persistent access within targeted environments. The actor's strategic targeting aligns with geopolitical interests, indicating a likely state-sponsored agenda. Moreover, the group's efforts to patch exploited vulnerabilities post-compromise suggest a desire to maintain exclusive access and evade detection by other threat actors.

Suggested Corrections:
Immediate mitigation steps include restricting access to the F5 Traffic Management User Interface (TMUI) from the internet and applying the provided mitigation script to vulnerable F5 appliances affected by CVE-2023-46747. Organizations should conduct thorough investigations of vulnerable F5 appliances to identify evidence of compromise and unauthorized modifications. In the event of a compromise, reviewing appliance configurations and file system artifacts for signs of unauthorized access is crucial. Additionally, organizations should revoke and re-issue sensitive cryptographic material, such as certificates and private keys, that may have been compromised.

For those impacted by the exploitation of ConnectWise ScreenConnect, referring to Mandiant's remediation and hardening guide for specific actions to secure on-premises controllers is recommended. Long-term defense strategies should focus on implementing comprehensive vulnerability management practices, enhancing network segmentation and access controls, and investing in threat intelligence services to stay ahead of emerging threats. Collaboration with cybersecurity experts and law enforcement agencies can aid in identifying and disrupting ongoing intrusion attempts and protecting critical assets from compromise. The report from Mandiant also includes IoCs and detection rules.