All articles tagged with #unc5221
A suspected China-linked cyber espionage group, UNC5221, is using the sophisticated BRICKSTORM backdoor to infiltrate U.S. legal, tech, and SaaS sectors, maintaining long-term stealthy access to steal sensitive information and potentially exploit zero-day vulnerabilities, with ongoing development and active deployment across multiple systems.
Mandiant has discovered new malware used by UNC5221 and other threat groups to exploit Ivanti Connect Secure VPN and Policy Secure devices, including custom web shells like BUSHWALK, CHAINLINE, and FRAMESTING, as well as a variant of LIGHTWIRE. The malware exploits vulnerabilities allowing arbitrary command execution and JavaScript-based credential stealing. The attacks involve open-source utilities for post-exploitation activities, and Ivanti has disclosed and released fixes for additional security flaws. UNC5221 targets various industries of strategic interest to China, with infrastructure and tooling overlapping with past intrusions linked to China-based espionage actors.