A hacking group from China has been exploiting critical bugs in F5 and ConnectWise equipment to sell access to hundreds of compromised entities, including US defense organizations and UK government agencies. The group, identified as UNC5174, used two vulnerabilities, including CVE-2023-46747 and CVE-2024-1709, to carry out their attacks. They have claimed links to China’s Ministry of State Security (MSS) and use a remote command-and-control framework called SUPERSHELL.

The group targeted prominent universities in the US, Oceania, and Hong Kong regions, as well as think tanks in the US and Taiwan. They create admin accounts to run malicious commands and use an ELF downloader called SNOWLIGHT to bring in backdoors GOHEAVY and GOREVERSE onto compromised appliances. This allows them to connect with the C2 infrastructure hosting SUPERSHELL and download and execute more malicious code.

The report warns that China-nexus actors continue to conduct vulnerability research on widely deployed edge appliances like F5 BIG-IP and Screen Connect to enable espionage operations at scale. UNC5174 continues to pose a threat to targets of strategic or political interest to the PRC, including academic, government, and NGO groups in the US, UK, Canada, Southeast Asia, and Hong Kong.

Please, subscribe to the YouTube channel of republicpolicy.com