Full Report
On 2024-03-22, a campaign was reported, involving UNC5174, gaining initial access via 1-day vulnerability, while using Vulnerability exploitation, targeting ConnectWise ScreenConnect, F5 BIG IP, Confluence Server to achieve Data exfiltration. The following tools were observed: SUPERSHELL, SNOWLIGHT, GOHEAVY.
Analysis Summary
# Threat Actor: UNC5174
## Attribution & Identity
* **Identification:** UNC5174 (Undisclosed Numbered Cyber Security Group).
* **Known Aliases/Associations:** None explicitly mentioned in the provided context, but classified as a distinct threat actor group by reporting agency (Mandiant).
## Activity Summary
This activity involves a campaign reported on March 22, 2024. UNC5174 gained initial access by exploiting a 1-day vulnerability. The ultimate reported impact of this campaign was Data Exfiltration.
## Tactics, Techniques & Procedures
* **Initial Access:** Exploitation of a 1-day vulnerability. (Common MITRE ATT&CK T1190: Exploit Public-Facing Application)
* **Execution/Persistence:** Vulnerability exploitation was a primary observed technique used post-initial access.
* **Exfiltration:** Data exfiltration was the reported objective achieved.
## Targeting
* **Sectors:** Not explicitly detailed, beyond the types of technology targeted.
* **Geography:** Not specified.
* **Victims:** Not specified, but organizations using the targeted software are at risk.
* **Targeted Technologies:** ConnectWise ScreenConnect, F5 BIG-IP, and Confluence Server.
## Tools & Infrastructure
* **Malware Families Used:**
* SUPERSHELL
* SNOWLIGHT
* GOHEAVY
* **Infrastructure:** None specified in the provided context.
## Implications
UNC5174 demonstrates a high level of operational capability by rapidly leveraging newly disclosed (1-day) vulnerabilities to gain access to high-value targets that rely on widely deployed infrastructure management platforms (ScreenConnect, BIG-IP) and collaboration software (Confluence). The motivation appears to be data theft.
## Mitigations
* Rapid patching of any newly disclosed vulnerabilities, particularly for internet-facing systems like ConnectWise ScreenConnect and F5 BIG-IP.
* Strict network segmentation around critical infrastructure and collaboration servers.
* Monitor for the presence of the observed tooling (SUPERSHELL, SNOWLIGHT, GOHEAVY) on network endpoints and servers.