Unc5221

Threat Actor updated 5 months ago (2024-05-25T12:17:29.362Z)
Download STIX
Preview STIX
UNC5221, a threat actor linked to China, has been identified as the group behind recent cyberattacks involving new malware specifically designed to exploit vulnerabilities in Ivanti Connect Secure VPN and Policy Secure devices. The discovery was made by Mandiant researchers who observed the deployment of a new web shell, tracked as ROOTROT, during their investigation of an Ivanti Connect Secure appliance compromised by UNC5221. The threat actor accessed the vCenter appliance using SSH and downloaded the BRICKSTORM backdoor, creating a stealthy and persistent backdoor on the infected device. In January 2024, the MITRE Corporation reported a breach of its systems, attributing the attack to UNC5221. The attack involved the chaining of two zero-day vulnerabilities in Ivanti's Connect Secure software. Indicators of compromise observed during this security breach overlapped with those associated with UNC5221, further solidifying the link between this threat actor and the attacks. Despite initial mitigation efforts, these actions were deemed insufficient in retrospect. The activities of UNC5221 represent a significant cybersecurity concern due to their advanced persistent threat (APT) nature, sophisticated techniques, and the group's apparent focus on exploiting specific network security products. In one instance, the deployment of ROOTROT led to UNC5221 initiating network reconnaissance and lateral movement to a VMware vCenter server. Furthermore, during an analysis of a compromise by UNC5221, Mandiant identified four distinct components of the custom malware toolset SPAWN being used in concert to establish a robust backdoor on an infected appliance.
Description last updated: 2024-05-25T12:15:26.029Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Uta0178 is a possible alias for Unc5221. UTA0178, also known as UNC5221, is a China-based threat actor suspected of conducting cyberespionage activities. This group has been active in exploiting vulnerabilities on a global scale, with numerous instances of interaction with compromised devices tied to the Cyberoam proxy network. The IP addr
4
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Exploit
Ivanti
Vpn
Malware
Apt
Mandiant
Zero Day
Backdoor
Vulnerability
Web Shell
State Sponso...
Github
Mitre
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The CVE-2024-21887 Vulnerability is associated with Unc5221. CVE-2024-21887 is a command injection vulnerability found in the web components of Ivanti Connect Secure and Ivanti Policy Secure, specifically in versions 9.x and 22.x. The Cyber Centre was made aware of this flaw, along with an authentication bypass vulnerability (CVE-2023-46805), on January 10, 2Unspecified
2
Source Document References
Information about the Unc5221 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
CERT-EU
9 months ago
CERT-EU
9 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
DARKReading
5 months ago
Securityaffairs
5 months ago
DARKReading
6 months ago
Checkpoint
6 months ago
InfoSecurity-magazine
6 months ago
DARKReading
7 months ago
CERT-EU
7 months ago
CERT-EU
9 months ago
CERT-EU
9 months ago
CERT-EU
9 months ago
Securityaffairs
9 months ago
CERT-EU
9 months ago
CERT-EU
9 months ago
CERT-EU
9 months ago
CERT-EU
7 months ago
CERT-EU
8 months ago