Uta0178

Threat Actor updated 6 months ago (2024-05-04T19:48:32.971Z)
Download STIX
Preview STIX
UTA0178, also known as UNC5221, is a China-based threat actor suspected of conducting cyberespionage activities. This group has been active in exploiting vulnerabilities on a global scale, with numerous instances of interaction with compromised devices tied to the Cyberoam proxy network. The IP addresses 71.127.149[.]194 and 173.53.43[.]7 have been observed in these interactions. UTA0178 has also utilized domains to collect credentials from compromised devices, indicating a sophisticated level of operation. The threat actor's activities gained significant attention when cybersecurity firm Volexity reported that UTA0178 was exploiting flaws in Ivanti Connect Secure VPN appliances for mass attacks worldwide. The exploitation involved the use of a GIFTEDVISITOR webshell variant, which allowed the group to backdoor over 2,100 Ivanti appliances. The threat actor's activities suggest an ongoing effort to compromise these VPN appliances and exfiltrate data in an automated fashion. Interestingly, UTA0178 appears to be making efforts to evade detection by organizations actively seeking evidence of compromise on their Ivanti Connect Secure VPN appliances. Recent updates show that UTA0178 continues to exploit these vulnerabilities, some dating back to December. The group has even modified scanner/scripts/scanner.py within an archive, demonstrating further evidence of their advanced tradecraft. While other threat actors have attempted similar exploitations, their operational security has been noticeably poorer than that of UTA0178. As such, UTA0178 remains a major concern for cybersecurity experts and organizations worldwide.
Description last updated: 2024-03-22T02:15:54.167Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Unc5221 is a possible alias for Uta0178. UNC5221, a threat actor linked to China, has been identified as the group behind recent cyberattacks involving new malware specifically designed to exploit vulnerabilities in Ivanti Connect Secure VPN and Policy Secure devices. The discovery was made by Mandiant researchers who observed the deployme
4
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Vpn
Ivanti
Exploit
Ics
Zero Day
Chinese
Proxy
State Sponso...
Volexity
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the Uta0178 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
CERT-EU
10 months ago
CERT-EU
8 months ago
DARKReading
7 months ago
CERT-EU
9 months ago
CERT-EU
9 months ago
CERT-EU
9 months ago
CERT-EU
9 months ago
CERT-EU
9 months ago
CERT-EU
9 months ago
Securityaffairs
9 months ago
InfoSecurity-magazine
9 months ago
CERT-EU
9 months ago
CERT-EU
9 months ago
CERT-EU
9 months ago
CERT-EU
10 months ago
Checkpoint
10 months ago
CERT-EU
10 months ago
CERT-EU
10 months ago
CERT-EU
10 months ago
CERT-EU
10 months ago