CyberSecurity news
FlagThis
@cyberalerts.io
//
UAT-5918, a threat actor believed to be motivated by establishing long-term access for information theft, has been actively targeting critical infrastructure entities in Taiwan since at least 2023. Cisco Talos researchers have been tracking this campaign. The group utilizes a combination of web shells, such as the Chopper web shell, and open-sourced tooling to conduct post-compromise activities, focusing on persistence in victim environments for information theft and credential harvesting. UAT-5918 exploits N-day vulnerabilities in unpatched web and application servers exposed to the internet to gain initial access.
UAT-5918's post-compromise activities involve manual operations, emphasizing network reconnaissance and credential harvesting using tools like Mimikatz, LaZagne, and browser credential extractors. The threat actor deploys web shells across discovered sub-domains and internet-accessible servers, establishing multiple entry points. Their tactics, techniques, and procedures (TTPs) overlap with other APT groups like Volt Typhoon and Flax Typhoon, suggesting shared strategic goals in targeting geographies and industry verticals such as telecommunications, healthcare, and information technology sectors in Taiwan.
ImgSrc: blogger.googleu
References :
UAT-5918's post-compromise activities involve manual operations, emphasizing network reconnaissance and credential harvesting using tools like Mimikatz, LaZagne, and browser credential extractors. The threat actor deploys web shells across discovered sub-domains and internet-accessible servers, establishing multiple entry points. Their tactics, techniques, and procedures (TTPs) overlap with other APT groups like Volt Typhoon and Flax Typhoon, suggesting shared strategic goals in targeting geographies and industry verticals such as telecommunications, healthcare, and information technology sectors in Taiwan.
ImgSrc: blogger.googleu
Share:
References :
- Cisco Talos Blog: UAT-5918 targets critical infrastructure entities in Taiwan
- Industrial Cyber: UAT-5918 APT group targets Taiwan critical infrastructure, possible linkage to Volt Typhoon
- thehackernews.com: UAT-5918 Targets Taiwan's Critical Infrastructure Using Web Shells and Open-Source Tools
- Talkback Resources: UAT-5918 Targets Taiwan's Critical Infrastructure Using Web Shells and Open-Source Tools [ics] [net]
- Cyber Security News: UAT-5918 Threat Actors Target Exposed Web and Application Servers via N-Day Vulnerabilities
- gbhackers.com: UAT-5918 Hackers Exploit N-Day Vulnerabilities in Exposed Web and Application Servers
- The DefendOps Diaries: UAT-5918, a threat actor believed to be motivated by establishing long-term access for information theft, uses a combination of web shells and open-sourced tooling to conduct post-compromise activities to establish persistence in victim environments for information theft and credential harvesting.
- securityaffairs.com: UAT-5918 ATP group targets critical Taiwan
- www.scworld.com: UAT-5918, a threat actor believed to be motivated by establishing long-term access for information theft, uses a combination of web shells and open-sourced tooling to conduct post-compromise activities to establish persistence in victim systems.
- Virus Bulletin: Cisco Talos researchers Jung soo An, Asheer Malhotra, Brandon White & Vitor Ventura analyse a UAT-5918 malicious campaign targeting critical infrastructure entities in Taiwan.
Classification:
- HashTags: #UAT5918 #WebShell #CyberEspionage
- Company: Taiwan
- Target: Taiwan Critical Infrastructure
- Attacker: UAT-5918
- Product: Web Shells
- Feature: Web Shells
- Malware: Web Shells
- Type: Espionage
- Severity: Major