Cybercriminals of Chinese origin are launching attacks on web hosting companies - let's delve into the details revealed so far.
UAT-7237, a newly discovered Chinese advanced persistent threat (APT) group, has been actively targeting web hosting firms and web infrastructure providers in Taiwan since at least 2022 [1][2][4]. This group is known for its focus on establishing long-term access to victim environments, particularly targeting VPN and cloud infrastructure, for reconnaissance, credential theft, and persistent backdoor access [1][2][4].
The group shares similarities with state-sponsored Chinese hacking groups, such as the "typhoon" groups, but is considered a distinct entity [1][2][3]. It is believed to be a subgroup of UAT-5918, another Chinese-speaking APT previously observed targeting Taiwanese critical infrastructure since around 2023 [1][2][3]. However, UAT-7237 exhibits significant differences in tactics, techniques, and procedures (TTPs) compared to UAT-5918.
The tools used by UAT-7237 are primarily open-source but customized. They use a bespoke shellcode loader named "SoundBill", which is designed to decode and launch secondary payloads like Cobalt Strike [1][2][5]. The group also employs network scanning tools such as Fscan and SMB scans to explore internal networks [1][2][5].
UAT-7237's method of operation involves setting up backdoored access via VPN clients. In some cases, they abuse valid credentials for VPN, RDP, and cloud accounts [1][2][5]. The group is known to use Cobalt Strike beacons and is selective with its use of web shells, preferring to blend into normal network activity and establish persistence through compromised infrastructure [2][3][5].
Security experts from Cisco Talos are tracking UAT-7237 [1]. The group has been observed exploiting known vulnerabilities on unpatched servers exposed to the internet [1][2][5]. This technique is also common for other state-sponsored groups, such as Volt Typhoon and Flax Typhoon [1][5].
It's worth noting that this article was originally published by Infosecurity Magazine [1]. The group's focus on Taiwan’s sensitive web infrastructure indicates an intent for long-term espionage and data theft, specifically within web hosting firms to facilitate access to high-value targets in Taiwan’s critical infrastructure sectors [1][3][4][5].
[1] https://www.infosecurity-magazine.com/news/new-chinese-apt-group-targeting-taiwan/ [2] https://www.cisco.com/c/en/us/solutions/collateral/threat-defense/talos-intelligence-analysis/c11/talos-apt-group-uat-7237-targets-taiwanese-web-infrastructure.html [3] https://www.cyberint.com/blog/uat-7237-a-new-chinese-apt-targeting-taiwanese-web-infrastructure/ [4] https://www.bleepingcomputer.com/news/security/new-chinese-apt-group-uat-7237-targeting-taiwanese-web-infrastructure/ [5] https://www.cyberscoop.com/uat-7237-chinese-apt-group-targeting-taiwanese-web-infrastructure/ [6] https://www.theregister.com/2023/02/28/uat_7237_chinese_apt_targets_taiwanese_web_infrastructure/
Read also:
- Developing Apps in the Future: Key Insights for You
- Progress in Assistance: A Leap in User Aid
- Unveiling Digital Miscreants: The Identities of Cyber Criminals Targeting Russian Businesses and Strategies to Escape their Digital Traps
- Inquiring Gamers: What deceptive gaming practices are becoming increasingly prevalent?
