China Steals Defense Secrets ‘on Industrial Scale’
CVSS 10 and 9.8 vulnerabilities exploited by Chinese threat actor for People’s Republic.
The drumbeat is getting louder: The West is fed up of China hacking it. The latest concern is the PRC stealing defense secrets via two catastrophically bad bugs: By chaining flaws in F5 BIG-IP and ConnectWise ScreenConnect, Chinese state actors have broken into countless orgs.
And now the Brits are ratcheting up sanctions. In today’s SB Blogwatch, we duck and cover.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Snif & Snüf.
UNC5174 ❤ UNC302
What’s the craic? Jonathan Greig reports of a “Chinese government hacker”:
“CVE-2024-1709”
A hacker allegedly connected to the People’s Republic of China has been exploiting two popular vulnerabilities to attack U.S. defense contractors, U.K. government entities and institutions in Asia. … The researchers believe UNC5174 is a former member of Chinese hacktivist collectives [who is] acting as a contractor for China’s Ministry of State Security (MSS) focused on executing access operations.
…
CVE-2024-1709 has caused alarm among cyber defenders since IT management software company ConnectWise warned its customers about the issue in February. The company confirmed that several customers had been compromised through the vulnerability. … ScreenConnect allows for secure remote desktop access and mobile device support, and researchers said it was being exploited by both cybercriminals and nation states.
And not just one high-severity vuln, but two. Nick Farrell certainly doubts your fear—“Chinese hackers flog access to UK and US defence secrets”:
“CVE-2022-3052”
UNC5174, operating under the alias Uteus … was responsible for exploiting CVE-2023-46747, a remote code execution vulnerability in the F5 BIG-IP Traffic Management User Interface, rated 9.8 out of 10 on the CVSS scale, and CVE-2024-1709, a path traversal flaw in ConnectWise ScreenConnect with a maximum 10 out of 10 CVSS severity score. [It also] exploited CVE-2023-22518 in Atlassian Confluence, CVE-2022-0185 in Linux kernels, and CVE-2022-3052, a command injection vulnerability in Zyxel Firewall OS.
…
The group specialises in securing initial entry into target organisations and selling access to high-value targets. … One of the more peculiar findings: UNC5174 would establish backdoors into compromised systems and [then] rectify the vulnerability they exploited.
Horse’s mouth? Mandiant’s Michael Raggi, Adam Aprahamian, Dan Kelly, Mathew Potaczek, Marcin Siedlarz and Austin Larsen—“Bringing Access Back”:
UNC5174 was linked with several hacktivist collectives including “Dawn Calvary” … ”Genesis Day” / “Xiaoqiying” and “Teng Snake” … and has also claimed to be affiliated with the PRC MSS as an access broker and possible contractor. … Organizations targeted by UNC5174, including U.S. defense and UK government entities, were targeted concurrently by distinct known MSS access brokers UNC302, which were previously indicted by the U.S. Department of Justice.
…
UNC5174 has [also] been linked to widespread aggressive targeting and intrusions of Southeast Asian and U.S. research and education institutions, Hong Kong businesses, charities and non-governmental organizations (NGOs).
What can be done? Aunty Beeb’s Sam Francis writes—“UK sanctions Chinese”:
“Epoch-defining challenge”
Two people and a company linked to the Chinese state have been sanctioned by the UK government over cyber-attacks, [saying] the group were behind “malign” attempts to access details of [politicians] who had been critical of Beijing.
…
The sanctions will freeze assets, barring UK citizens and businesses from handling the company’s and individuals’ funds or resources. A travel ban will also prevent them from entering or remaining in the UK. … Prime Minister Rishi Sunak called China “the greatest state-based challenge to our national security. … China represents an economic threat to our security and an epoch-defining challenge.”
All of which must be music to the ears of u/GarlicThread:
So when do we start considering these acts of war? … All I’m asking is that we stop letting this **** go unpunished.
War, you say? Nearly, thinks HBI:
It’s a good reminder about what a near-peer conflict would look like. I’d expect global networks to be more or less down for a while as all the zero days compiled up are dumped out one by one.
…
A month or longer later, we might start being able to have reasonable conversations about the state of the world online. I wonder how the young folks will handle it, or those dependent on cat videos.
Are we entering a new McCarthy era? Yet Another Anonymous coward thinks China is anything but communist:
Commie? They are selling exploits on the open market for a profit, while our own governments keep them locked up inside inefficient, state owned security services.
Sauce for the goose? u/Pikaea has a gander: [Must you keep making that terrible joke?—Ed.]
Do you really think the West isn’t trying to get backdoors into China or Russian systems too? Of course they are, certain countries just don’t announce it.
Meanwhile, beheaderaswp wields “a two edge sword”:
In addition, … they will report the vulnerability anytime another nation has the same exploit and are actively using it.
And Finally:
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi, @richij or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image sauce: Alejandro Luengo (via Unsplash; leveled and cropped)