{
	"id": "67bed02b-ff61-4154-b09f-0aa7561ea40f",
	"created_at": "2026-04-06T00:18:24.01227Z",
	"updated_at": "2026-04-10T03:34:27.963651Z",
	"deleted_at": null,
	"sha1_hash": "9de6113eb014f117316a4c6380232ee27c042fcf",
	"title": "Chinese Threat Group UNC5274 Reportedly Exploiting F5 BIG-IP and ScreenConnect CVEs for Active Exploitation - RH-ISAC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 59602,
	"plain_text": "Chinese Threat Group UNC5274 Reportedly Exploiting F5 BIG-IP\r\nand ScreenConnect CVEs for Active Exploitation - RH-ISAC\r\nPublished: 2024-03-22 · Archived: 2026-04-05 14:59:56 UTC\r\nOn March 21, 2023, Mandiant researchers reported their latest technical details detailing a campaign exploiting\r\ncritical vulnerabilities in F5 BIG-IP and ScreenConnect, which they attribute to the Chinese state-sponsored actor\r\nknown as UNC5174.\r\nCommunity Impact Assessment\r\nDue to the widespread use of F5 BIG-IP and ScreenConnect across global regions and industries, the RH-ISAC\r\nintelligence team assesses with moderate confidence that this campaign may pose a moderate threat to\r\norganizations that have not patched the critical flaws leveraged.\r\nAdditionally, given the historical targeting and methods leveraged, the RH-ISAC intelligence team assesses with\r\nmoderate confidence that UNC5174 may pose a moderate threat to organizations in critical infrastructure sectors.\r\nMembers are advised to review the indicators of compromise (IOCs,) mitigations, detection rules, and MITRE\r\nATT\u0026CK Tactics, Techniques, and Procedures (TTPs) provided by Mandiant, included below.\r\nContext and Technical Details\r\nMandiant reported that campaigns observed between October 2023 and February 2024 leveraged, respectively:\r\nConnectWise ScreenConnect Vulnerability CVE-2024-1709, a 10 CRITICAL severity vulnerability described\r\nthus: “ConnectWise ScreenConnect 23.9.7 and prior are affected by an Authentication Bypass Using an Alternate\r\nPath or Channel vulnerability, which may allow an attacker direct access to confidential information or critical\r\nsystems.”\r\nF5 BIG-IP Configuration Utility Authentication Bypass Vulnerability CVE-2023-46747, a 9.8 CRITICAL severity\r\nvulnerability, described as thus: “Undisclosed requests may bypass configuration utility authentication, allowing\r\nan attacker with network access to the BIG-IP system through the management port and/or self IP addresses to\r\nexecute arbitrary system commands.”\r\nAccording to Mandiant, the “mix of custom tooling and the SUPERSHELL framework […] is assessed with\r\nmoderate confidence to be unique to a People’s Republic of China (PRC) threat actor, UNC5174 […] (believed to\r\nuse the persona “Uteus”) is a former member of Chinese hacktivist collectives that has since shown indications of\r\nacting as a contractor for China’s Ministry of State Security (MSS) focused on executing access operations.”\r\n“UNC5174 has been linked to widespread aggressive targeting and intrusions of Southeast Asian and U.S.\r\nresearch and education institutions, Hong Kong businesses, charities and non-governmental organizations\r\n(NGOs), and U.S. and UK government organizations during October and November 2023, as well as in February\r\n2024.”\r\nhttps://rhisac.org/threat-intelligence/f5-big-ip-and-screenconnect-cves/\r\nPage 1 of 6\n\nMitigations\r\nMandiant provided the following remediation recommendations:\r\nRestrict access to the F5 TMUI from the internet.\r\nImmediately apply the F5 mitigation script published in K000137353 to any vulnerable F5 appliances.\r\nInvestigate vulnerable F5 appliances for evidence of compromise.\r\nIn the event of an F5 compromise:\r\nReview appliance configurations for unauthorized modifications.\r\nReview file system and operating system (OS) artifacts for evidence of privileged account creation and\r\nremove any unauthorized accounts.\r\nConsider revoking and re-issuing sensitive cryptographic material such as certificates and private keys that\r\nmay have been accessible to a threat actor.\r\nFor impacted ScreenConnect instances, Mandiant recommends that organizations with an on-premises\r\ncontroller read the latest ScreenConnect remediation and hardening guide.\r\nDetections\r\nMandiant provided the following detections:\r\nrule M_Backdoor_GOREVERSE_2\r\n{\r\n    meta:\r\n        author = “Mandiant”\r\n        description = “This rule is designed to detect events related to goreverse. GOREVERSE is a publicly\r\navailable reverse shell”\r\n        md5 = “5c175ea3664279d6c0c2609844de6949”\r\n        platforms = “Windows,Linux,MacOS”\r\n        malware_family = “GOREVERSE”\r\n    strings:\r\n        $cc_main_fork_amd64 = { 41 81 39 74 72 75 65 75 ?? 48 8B [5] 48 8B [5] 48 8B [5] 4C 8B [5] 48 8B [5] 48\r\n8B [5-10] E8 [4] 48 8B }\r\n        $cc_print_help_amd64 = { 48 8D 15 [4] 48 89 94 24 [4-16] 48 8B 1D [4] 48 8D 05 [4-24] BF 03 00 00 00 48\r\n89 FE [0-12] E8 }\r\n        $cc_rssh = “rssh” fullword\r\nhttps://rhisac.org/threat-intelligence/f5-big-ip-and-screenconnect-cves/\r\nPage 2 of 6\n\n$cc_validate_dest_len = { 48 83 3D [4] 00 [1-24] 49 83 FC 01 [1-24] 49 C1 E4 05 [1-64] 83 3D [4] 00 }\r\n        $str1 = “–[foreground|fingerprint|proxy|process_name] -d|–destination \u003cserver_address\u003e”\r\n        $str2 = “-d or –destination Server connect back address (can be baked in)”\r\n        $str3 = “–foreground Causes the client to run without forking to background”\r\n        $str4 = “–fingerprint Server public key SHA256 hex fingerprint for auth”\r\n        $str5 = “–proxy Location of HTTP connect proxy to use”\r\n        $str6 = “–process_name Process name shown in tasklist/process list”\r\n    condition:\r\n( ((uint32(0) == 0xcafebabe) or (uint32(0) == 0xfeedface) or (uint32(0) == 0xfeedfacf) or (uint32(0) ==\r\n0xbebafeca) or (uint32(0) == 0xcefaedfe) or (uint32(0) == 0xcffaedfe)) or (uint16(0) == 0x5a4d and\r\nuint32(uint32(0x3C)) == 0x00004550) or (uint32(0) == 0x464c457f)) and (all of ($str*) or all of ($cc_*))\r\n}\r\nrule M_APT_Downloader_SNOWLIGHT_1\r\n{\r\n    meta:\r\n        author = “Mandiant”\r\n        description = “This rule is designed to detect the SNOWLIGHT code family”\r\n        md5 = “0951109dd1be0d84a33d52c135ba9c97”\r\n        platforms = “Linux”\r\n        malware_family = “SNOWLIGHT”\r\n    strings:\r\n        $xor99 = { 80 31 99 48 FF C1 89 CE 29 EE 39 C6 7C F2 48 63 D2 48 89 EE 44 89 E7 }\r\n        $memfdcreate = { BA 01 00 00 00 BE 3B 0B 40 00 BF 3F 01 00 00 E8 8C FE FF FF }\r\n    condition:\r\n        uint32(0) == 0x464c457f and all of them\r\n}\r\nIOCs\r\nhttps://rhisac.org/threat-intelligence/f5-big-ip-and-screenconnect-cves/\r\nPage 3 of 6\n\nMandiant provided the following IOCs:\r\nIndicator Type Notes\r\nhxxp://172.245.68[.]110:8888  URL SUPERSHELL C2\r\n172.245.68[.]110 IP Address Colocrossing\r\n61.239.68[.]73  IP Address Hong Kong Broadband Network Ltd.\r\n118.140.151[.]242  IP Address HGC Global Communications Limited\r\nc867881c56698f938b4e8edafe76a09b MD5 SNOWLIGHT\r\ndf4603548b10211f0aa77d0e9a172438 MD5 SNOWLIGHT\r\n0951109dd1be0d84a33d52c135ba9c97 MD5 SNOWLIGHT\r\n9c3bf506dd19c08c0ed3af9c1708a770 MD5 N/A\r\n0ba435460fb7622344eec28063274b8a MD5 SNOWLIGHT\r\na78bf3d16349eba86719539ee8ef562d MD5 SNOWLIGHT\r\nTTPs\r\nMandiant provided the following TTPs:\r\nTechnique Number Description\r\nInitial Access T1190 Exploit Public-Facing Application\r\nhttps://rhisac.org/threat-intelligence/f5-big-ip-and-screenconnect-cves/\r\nPage 4 of 6\n\nDefense Evasion T1027 Obfuscated Files or Information\r\nT1070.004 File Deletion\r\nT1140 Deobfuscate/Decode Files or Information\r\nT1222.002 Linux and Mac File and Directory Permissions Modification\r\nT1601.001 Patch System Image\r\nDiscovery T1016 System Network Configuration Discovery\r\nT1049 System Network Connections Discovery\r\nT1082 System Information Discovery\r\nT1083 File and Directory Discovery\r\nCommand and Control T1095 Non-Application Layer Protocol\r\nT1105 Ingress Tool Transfer\r\nT1572 Protocol Tunneling\r\nT1573.002 Asymmetric Cryptography\r\nExecution T1059 Command and Scripting Interpreter\r\nT1059.004 Unix Shell\r\nhttps://rhisac.org/threat-intelligence/f5-big-ip-and-screenconnect-cves/\r\nPage 5 of 6\n\nPersistence T1136.001 Local Account\r\nImpact T1531 Account Access Removal\r\nCredential Access T1003.008 /etc/passwd and /etc/shadow\r\nResource Development T1608.003 Install Digital Certificate\r\nSource: https://rhisac.org/threat-intelligence/f5-big-ip-and-screenconnect-cves/\r\nhttps://rhisac.org/threat-intelligence/f5-big-ip-and-screenconnect-cves/\r\nPage 6 of 6\n\n https://rhisac.org/threat-intelligence/f5-big-ip-and-screenconnect-cves/  \nPersistence T1136.001 Local Account \nImpact T1531 Account Access Removal\nCredential Access T1003.008 /etc/passwd and /etc/shadow\nResource Development T1608.003 Install Digital Certificate\nSource: https://rhisac.org/threat-intelligence/f5-big-ip-and-screenconnect-cves/   \n  Page 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://rhisac.org/threat-intelligence/f5-big-ip-and-screenconnect-cves/"
	],
	"report_names": [
		"f5-big-ip-and-screenconnect-cves"
	],
	"threat_actors": [
		{
			"id": "b302cfdb-30c9-4dce-a968-d2398dda820d",
			"created_at": "2024-03-28T02:00:05.789775Z",
			"updated_at": "2026-04-10T02:00:03.611467Z",
			"deleted_at": null,
			"main_name": "UNC5174",
			"aliases": [
				"Uteus"
			],
			"source_name": "MISPGALAXY:UNC5174",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "8bcbeb8a-111b-4ea1-a72b-5c7abd8ef132",
			"created_at": "2025-11-01T02:04:53.050049Z",
			"updated_at": "2026-04-10T02:00:03.774442Z",
			"deleted_at": null,
			"main_name": "BRONZE SNOWDROP",
			"aliases": [
				"UNC5174 "
			],
			"source_name": "Secureworks:BRONZE SNOWDROP",
			"tools": [
				"Metasploit",
				"SNOWLIGHT",
				"SUPERSHELL",
				"Sliver",
				"VShell"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434704,
	"ts_updated_at": 1775792067,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9de6113eb014f117316a4c6380232ee27c042fcf.pdf",
		"text": "https://archive.orkl.eu/9de6113eb014f117316a4c6380232ee27c042fcf.txt",
		"img": "https://archive.orkl.eu/9de6113eb014f117316a4c6380232ee27c042fcf.jpg"
	}
}