Uta0178

Threat Actor updated 6 months ago (2024-05-04T19:48:32.971Z)

Download STIX

Preview STIX

UTA0178, also known as UNC5221, is a China-based threat actor suspected of conducting cyberespionage activities. This group has been active in exploiting vulnerabilities on a global scale, with numerous instances of interaction with compromised devices tied to the Cyberoam proxy network. The IP addresses 71.127.149[.]194 and 173.53.43[.]7 have been observed in these interactions. UTA0178 has also utilized domains to collect credentials from compromised devices, indicating a sophisticated level of operation. The threat actor's activities gained significant attention when cybersecurity firm Volexity reported that UTA0178 was exploiting flaws in Ivanti Connect Secure VPN appliances for mass attacks worldwide. The exploitation involved the use of a GIFTEDVISITOR webshell variant, which allowed the group to backdoor over 2,100 Ivanti appliances. The threat actor's activities suggest an ongoing effort to compromise these VPN appliances and exfiltrate data in an automated fashion. Interestingly, UTA0178 appears to be making efforts to evade detection by organizations actively seeking evidence of compromise on their Ivanti Connect Secure VPN appliances. Recent updates show that UTA0178 continues to exploit these vulnerabilities, some dating back to December. The group has even modified scanner/scripts/scanner.py within an archive, demonstrating further evidence of their advanced tradecraft. While other threat actors have attempted similar exploitations, their operational security has been noticeably poorer than that of UTA0178. As such, UTA0178 remains a major concern for cybersecurity experts and organizations worldwide.

Description last updated: 2024-03-22T02:15:54.167Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Unc5221 is a possible alias for Uta0178. UNC5221, a threat actor linked to China, has been identified as the group behind recent cyberattacks involving new malware specifically designed to exploit vulnerabilities in Ivanti Connect Secure VPN and Policy Secure devices. The discovery was made by Mandiant researchers who observed the deployme	4

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Vpn

Ivanti

Exploit

Ics

Zero Day

Chinese

Proxy

State Sponso...

Volexity

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the Uta0178 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	10 months ago	Nation-State Actors Weaponize Ivanti VPN Zero-Days, Deploying 5 Malware Families
CERT-EU	8 months ago	Ivanti follows CISA warning with new protection tool
DARKReading	7 months ago	Ivanti Keeps Security Teams Scrambling With 2 More Vulns
CERT-EU	9 months ago	Ivanti: Backdoor suspected in exploited VPN products post-mitigation
CERT-EU	9 months ago	CISA emergency directive: Mitigate Ivanti zero-days immediately
CERT-EU	9 months ago	Ivanti Connect Secure VPN Exploitation: New Observations
CERT-EU	9 months ago	What to do with that fancy new internet-connected device you got as a holiday gift
CERT-EU	9 months ago	Experts warn of mass exploitation of Ivanti Connect Secure VPN flaws \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	9 months ago	Ivanti 0-day exploits pwn Fortune 500 firms, thousands more • The Register \| #cybercrime \| #infosec \| National Cyber Security Consulting
Securityaffairs	9 months ago	Experts warn of mass exploitation of Ivanti Connect Secure VPN flaws
InfoSecurity-magazine	9 months ago	Ivanti Zero-Days Exploited By Multiple Actors Globally
CERT-EU	9 months ago	Ivanti Connect Secure zero-days now under mass exploitation
CERT-EU	9 months ago	Mounting impact of attacks exploiting Ivanti zero-days expected
CERT-EU	9 months ago	Ivanti Connect Secure VPN Exploitation Goes Global
CERT-EU	10 months ago	15th January – Threat Intelligence Report \| #ransomware \| #cybercrime \| National Cyber Security Consulting
Checkpoint	10 months ago	15th January – Threat Intelligence Report - Check Point Research
CERT-EU	10 months ago	Mandiant: attacks exploiting Ivanti VPN flaws began in December
CERT-EU	10 months ago	Ivanti zero-day victim count grows as Mandiant weighs in
CERT-EU	10 months ago	Ivanti Secure VPN Zero-Day Vulnerabilities Allow Chinese Threat Actor to Compromise Systems
CERT-EU	10 months ago	Suspected Chinese Hackers Exploit 2 Ivanti Zero-Days \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting