Unc5221

Threat Actor Profile Updated 2 months ago
Download STIX
Preview STIX
UNC5221, a threat actor linked to China, has been identified as the group behind recent cyberattacks involving new malware specifically designed to exploit vulnerabilities in Ivanti Connect Secure VPN and Policy Secure devices. The discovery was made by Mandiant researchers who observed the deployment of a new web shell, tracked as ROOTROT, during their investigation of an Ivanti Connect Secure appliance compromised by UNC5221. The threat actor accessed the vCenter appliance using SSH and downloaded the BRICKSTORM backdoor, creating a stealthy and persistent backdoor on the infected device. In January 2024, the MITRE Corporation reported a breach of its systems, attributing the attack to UNC5221. The attack involved the chaining of two zero-day vulnerabilities in Ivanti's Connect Secure software. Indicators of compromise observed during this security breach overlapped with those associated with UNC5221, further solidifying the link between this threat actor and the attacks. Despite initial mitigation efforts, these actions were deemed insufficient in retrospect. The activities of UNC5221 represent a significant cybersecurity concern due to their advanced persistent threat (APT) nature, sophisticated techniques, and the group's apparent focus on exploiting specific network security products. In one instance, the deployment of ROOTROT led to UNC5221 initiating network reconnaissance and lateral movement to a VMware vCenter server. Furthermore, during an analysis of a compromise by UNC5221, Mandiant identified four distinct components of the custom malware toolset SPAWN being used in concert to establish a robust backdoor on an infected appliance.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Uta0178
4
UTA0178, also known as UNC5221, is a China-based threat actor suspected of conducting cyberespionage activities. This group has been active in exploiting vulnerabilities on a global scale, with numerous instances of interaction with compromised devices tied to the Cyberoam proxy network. The IP addr
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Exploit
Apt
Malware
Ivanti
Vpn
Mandiant
Backdoor
Zero Day
Mitre
Vulnerability
State Sponso...
Web Shell
Github
Proxy
Dropper
Webshell
Lateral Move...
Vcenter
Reconnaissance
Ransomware
Wordpress
Android
Chrome
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
TunnelvisionUnspecified
1
TunnelVision is a potent malware that has been making headlines for its ability to bypass VPN encapsulation. This malicious software, designed to exploit and damage computer systems, infiltrates through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside a syst
LockbitUnspecified
1
LockBit is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them. It can enter your system through various channels such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt
Mirai BotnetUnspecified
1
The Mirai botnet is a type of malware, malicious software designed to exploit and harm computer systems. It spreads by exploiting vulnerabilities in different systems, most notably through Ivanti Connect Secure bugs and the JAWS Webserver. Once inside a system, it can steal personal information, dis
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Unc3886Unspecified
1
UNC3886 is a threat actor with suspected links to China, known for its cyber espionage operations targeting global strategic organizations. Since 2021, this advanced persistent threat (APT) group has been exploiting a VMware zero-day vulnerability, identified as CVE-2023-34048. The cybersecurity ind
APT28Unspecified
1
APT28, also known as Fancy Bear, is a threat actor linked to Russia and has been involved in numerous cyber espionage campaigns. The group is notorious for its sophisticated tactics, techniques, and procedures (TTPs). Recently, NATO and the EU formally condemned APT28's activities, acknowledging the
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2024-21887Unspecified
2
CVE-2024-21887 is a command injection vulnerability identified in the web components of Ivanti Connect Secure and Ivanti Policy Secure (versions 9.x and 22.x). This flaw was publicly disclosed on January 10, 2024, alongside an authentication bypass vulnerability (CVE-2023-46805), affecting the same
CVE-2023-46805Unspecified
1
CVE-2023-46805 is a significant software vulnerability discovered in the web component of all supported versions of Ivanti Connect Secure and Ivanti Policy Secure (versions 9.x and 22.x). This flaw, which allows for authentication bypass, was first brought to the attention of the Cyber Centre on Jan
CVE-2023-46895Unspecified
1
None
CVE-2023-49606Unspecified
1
None
Source Document References
Information about the Unc5221 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Securityaffairs
2 months ago
MITRE December 2023 attack: threat actors created rogue VMs to evade detection
Securityaffairs
2 months ago
Security Affairs newsletter Round 471 by Pierluigi Paganini – INTERNATIONAL EDITION
DARKReading
3 months ago
Chinese Hackers Deployed Backdoor Quintet to Down MITRE
Securityaffairs
3 months ago
MITRE attributes the recent attack to China-linked UNC5221
DARKReading
3 months ago
MITRE ATT&CKED: InfoSec's Most Trusted Name Falls to Ivanti Bugs
Checkpoint
3 months ago
22nd April – Threat Intelligence Report - Check Point Research
InfoSecurity-magazine
4 months ago
Chinese Groups Deploy New TTPs to Exploit Ivanti Vulnerabilities
DARKReading
4 months ago
Ivanti Keeps Security Teams Scrambling With 2 More Vulns
CERT-EU
5 months ago
Tracing Ivanti Zero-Day Exploitation IoCs in the DNS
CERT-EU
6 months ago
CISA issues emergency directive for federal agencies to patch Ivanti VPN vulnerabilities
CERT-EU
6 months ago
CISA emergency directive: Mitigate Ivanti zero-days immediately
CERT-EU
6 months ago
Experts warn of mass exploitation of Ivanti Connect Secure VPN flaws | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
Securityaffairs
6 months ago
Experts warn of mass exploitation of Ivanti Connect Secure VPN flaws
CERT-EU
6 months ago
Ivanti Connect Secure zero-days now under mass exploitation
CERT-EU
6 months ago
Mandiant: attacks exploiting Ivanti VPN flaws began in December
CERT-EU
6 months ago
Ivanti zero-day victim count grows as Mandiant weighs in
CERT-EU
5 months ago
Response to CISA Advisory (AA24-060B): Threat Actors Exploit Multiple Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways
CERT-EU
5 months ago
Mandiant uncovers intricate UNC5325 cyber attacks on Ivanti devices
InfoSecurity-magazine
6 months ago
Latest Ivanti Zero Day Exploited By Scores of IPs
Securityaffairs
6 months ago
CISA orders federal agencies to disconnect Ivanti VPN instances by February 2