The Threat CodexMay 30, 2025
ConnectWise says nation-state attack targeted multiple ScreenConnect customers
#ConnectWise #CVE_2024_1709
https://therecord.media/connectwise-nation-state-attack-targeted-some-customers
ConnectWise says nation-state attack targeted multiple ScreenConnect customers

The company said it “recently learned of suspicious activity” within its environment that it believes “was tied to a sophisticated nation state actor, which affected a very small number of ScreenConnect customers.”

The Threat CodexFeb 27, 2025
GreyNoise Detects Active Exploitation of CVEs Mentioned in Black Basta’s Leaked Chat Logs
#BlackBastaGroup #CVE_2023_6875 #CVE_2024_3400 #CVE_2024_27198 #CVE_2024_24919 #CVE_2024_23897 #CVE_2024_1709 #CVE_2023_4966 #CVE_2023_42793 #CVE_2023_36845 #CVE_2023_36844 #CVE_2023_29357 #CVE_2023_22515 #CVE_2023_20198 #CVE_2022_41082 #CVE_2022_41040 #CVE_2022_37042 #CVE_2022_30525 #CVE_2022_27925 #CVE_2022_26134 #CVE_2022_22965 #CVE_2022_1388 #CVE_2021_44228 #CVE_2021_26855
https://www.greynoise.io/blog/greynoise-detects-active-exploitation-cves-black-bastas-leaked-chat-logs
GreyNoise Detects Active Exploitation of CVEs Mentioned in Black Basta’s Leaked Chat Logs

Ransomware group Black Basta’s chat logs were leaked, revealing 62 mentioned CVEs. GreyNoise identified 23 of these CVEs as actively exploited, with some targeted in the last 24 hours.

Not SimonMar 21, 2024

Mandiant reported on the N-day exploitation of CVE-2023-46747 (9.8 critical, disclosed 26 October 2023 by F5, added to CISA KEV on 31 October 2023) unauthenticated RCE and ConnectWise CVE-2024-1709 (10.0 critical, disclosed 19 February 2024 by ConnectWise as exploited zero-day, in KEV) by the Chinese threat actor UNC5174, who they assess to be acting as a contractor for China's Ministry of State Security (MSS). Mandiant provides timeline and evidence of exploitation, post-exploitation tactics, custom malware and tooling. IOC and detection rules provided. 🔗 https://www.mandiant.com/resources/blog/initial-access-brokers-exploit-f5-screenconnect

#UNC5174 #China #cyberespionage #threatintel #IOC #MSS #CVE_2023_46747 #CVE_2024_1709 #F5 #ConnectWise #ScreenConnect #eitw #activeexploitation #KEV

Bringing Access Back — Initial Access Brokers Exploit F5 BIG-IP (CVE-2023-46747) and ScreenConnect | Mandiant

Mandiant