According to security outfit Mandiant, a group it monitors, known as UNC5174, was responsible for exploiting CVE-2023-46747, a remote code execution vulnerability in the F5 BIG-IP Traffic Management User Interface, rated 9.8 out of 10 on the CVSS scale, and CVE-2024-1709, a path traversal flaw in ConnectWise ScreenConnect with a maximum 10 out of 10 CVSS severity score.

UNC5174, operating under the alias Uteus, has vaunted its connections to China's Ministry of State Security (MSS) — claims that could be factual. The group specialises in securing initial entry into target organisations and selling access to high-value targets.

Recently, Mandiant observed the same set of tools, presumed exclusive to this Chinese faction, being deployed to exploit the ConnectWise vulnerability and compromise 'hundreds' of entities, predominantly in the US and Canada.

Additionally, from October 2023 to February 2024, UNC5174 exploited CVE-2023-22518 in Atlassian Confluence, CVE-2022-0185 in Linux kernels, and CVE-2022-3052, a command injection vulnerability in Zyxel Firewall OS.

The threat intelligence team said that these operations entailed 'thorough reconnaissance, web application fuzzing, and intensive scanning for vulnerabilities on internet-exposed systems of leading universities in the US, Oceania, and Hong Kong. '

Further insights from The Record revealed one of the more peculiar findings: UNC5174 would establish backdoors into compromised systems and rectify the vulnerability they exploited to gain entry. Mandiant believes this was an 'effort to restrict further exploitation of the system by other unrelated threat actors seeking to access the appliance.'