Unc5221

Threat Actor updated 5 months ago (2024-05-25T12:17:29.362Z)

Download STIX

Preview STIX

UNC5221, a threat actor linked to China, has been identified as the group behind recent cyberattacks involving new malware specifically designed to exploit vulnerabilities in Ivanti Connect Secure VPN and Policy Secure devices. The discovery was made by Mandiant researchers who observed the deployment of a new web shell, tracked as ROOTROT, during their investigation of an Ivanti Connect Secure appliance compromised by UNC5221. The threat actor accessed the vCenter appliance using SSH and downloaded the BRICKSTORM backdoor, creating a stealthy and persistent backdoor on the infected device. In January 2024, the MITRE Corporation reported a breach of its systems, attributing the attack to UNC5221. The attack involved the chaining of two zero-day vulnerabilities in Ivanti's Connect Secure software. Indicators of compromise observed during this security breach overlapped with those associated with UNC5221, further solidifying the link between this threat actor and the attacks. Despite initial mitigation efforts, these actions were deemed insufficient in retrospect. The activities of UNC5221 represent a significant cybersecurity concern due to their advanced persistent threat (APT) nature, sophisticated techniques, and the group's apparent focus on exploiting specific network security products. In one instance, the deployment of ROOTROT led to UNC5221 initiating network reconnaissance and lateral movement to a VMware vCenter server. Furthermore, during an analysis of a compromise by UNC5221, Mandiant identified four distinct components of the custom malware toolset SPAWN being used in concert to establish a robust backdoor on an infected appliance.

Description last updated: 2024-05-25T12:15:26.029Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Uta0178 is a possible alias for Unc5221. UTA0178, also known as UNC5221, is a China-based threat actor suspected of conducting cyberespionage activities. This group has been active in exploiting vulnerabilities on a global scale, with numerous instances of interaction with compromised devices tied to the Cyberoam proxy network. The IP addr	4

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Exploit

Ivanti

Vpn

Malware

Apt

Mandiant

Zero Day

Backdoor

Vulnerability

Web Shell

State Sponso...

Github

Mitre

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The CVE-2024-21887 Vulnerability is associated with Unc5221. CVE-2024-21887 is a command injection vulnerability found in the web components of Ivanti Connect Secure and Ivanti Policy Secure, specifically in versions 9.x and 22.x. The Cyber Centre was made aware of this flaw, along with an authentication bypass vulnerability (CVE-2023-46805), on January 10, 2	Unspecified	2

Source Document References

Information about the Unc5221 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	9 months ago	Nation-State Actors Weaponize Ivanti VPN Zero-Days, Deploying 5 Malware Families
CERT-EU	9 months ago	พบช่องโหว่ Zero-Day ใน Ivanti Connect Secure ถูกใช้เพื่อติดตั้ง Malware
Securityaffairs	5 months ago	MITRE December 2023 attack: threat actors created rogue VMs to evade detection
Securityaffairs	5 months ago	Security Affairs newsletter Round 471 by Pierluigi Paganini – INTERNATIONAL EDITION
DARKReading	5 months ago	Chinese Hackers Deployed Backdoor Quintet to Down MITRE
Securityaffairs	5 months ago	MITRE attributes the recent attack to China-linked UNC5221
DARKReading	6 months ago	MITRE ATT&CKED: InfoSec's Most Trusted Name Falls to Ivanti Bugs
Checkpoint	6 months ago	22nd April – Threat Intelligence Report - Check Point Research
InfoSecurity-magazine	6 months ago	Chinese Groups Deploy New TTPs to Exploit Ivanti Vulnerabilities
DARKReading	7 months ago	Ivanti Keeps Security Teams Scrambling With 2 More Vulns
CERT-EU	7 months ago	Tracing Ivanti Zero-Day Exploitation IoCs in the DNS
CERT-EU	9 months ago	CISA issues emergency directive for federal agencies to patch Ivanti VPN vulnerabilities
CERT-EU	9 months ago	CISA emergency directive: Mitigate Ivanti zero-days immediately
CERT-EU	9 months ago	Experts warn of mass exploitation of Ivanti Connect Secure VPN flaws \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
Securityaffairs	9 months ago	Experts warn of mass exploitation of Ivanti Connect Secure VPN flaws
CERT-EU	9 months ago	Ivanti Connect Secure zero-days now under mass exploitation
CERT-EU	9 months ago	Mandiant: attacks exploiting Ivanti VPN flaws began in December
CERT-EU	9 months ago	Ivanti zero-day victim count grows as Mandiant weighs in
CERT-EU	7 months ago	Response to CISA Advisory (AA24-060B): Threat Actors Exploit Multiple Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways
CERT-EU	8 months ago	Mandiant uncovers intricate UNC5325 cyber attacks on Ivanti devices