Cyber Security News

UAT-5918 Hackers Exploit N-Day Vulnerabilities in Exposed Web and Application Servers

A recent cybersecurity threat, identified as UAT-5918, has been actively targeting entities in Taiwan, particularly those in critical infrastructure sectors such as telecommunications, healthcare, and information technology.

This advanced persistent threat (APT) group is believed to be motivated by establishing long-term access for information theft and credential harvesting.

UAT-5918 gains initial access by exploiting known vulnerabilities, or N-day vulnerabilities, in unpatched web and application servers exposed to the internet.

Post-Compromise Activities

Following successful exploitation, UAT-5918 conducts manual post-compromise activities focused on network reconnaissance and establishing persistence.

The group uses a variety of open-source tools, including web shells like the Chopper web shell, and networking tools such as FRPC, FScan, In-Swor, Earthworm, and Neo-reGeorg.

These tools enable the threat actor to move laterally within the compromised network, gather system information, and create new administrative user accounts.

Credential harvesting is a key tactic, employing tools like Mimikatz, LaZagne, and browser credential extractors to obtain local and domain-level user credentials.

UAT-5918 also uses tools like Impacket and WMIC for lateral movement via RDP and PowerShell remoting.

Overlaps with Other APT Groups

The tactics, techniques, and procedures (TTPs) of UAT-5918 show significant overlaps with other APT groups, including Volt Typhoon, Flax Typhoon, Earth Estries, and Dalbit.

According to Cisco Talos Report, these groups are known for targeting similar geographies and industry verticals, suggesting strategic alignment in their operations.

Victimology and targeted verticals

The use of tools like FRP, FScan, and In-Swor by UAT-5918 mirrors the tooling used by Tropic Trooper and Famous Sparrow.

However, some tools, such as LaZagne and SNetCracker, have not been publicly associated with these other groups, indicating possible exclusive use by UAT-5918.

To counter UAT-5918’s threats, organizations can employ various security measures.

Utilizing tools like Cisco Secure Endpoint can prevent malware execution, while Cisco Secure Email can block malicious emails.

Cisco Secure Firewall and Malware Analytics can detect and analyze malicious activity, providing comprehensive protection against such threats.

Implementing robust patch management to address N-day vulnerabilities is crucial in preventing initial access by UAT-5918 and similar APT groups.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup – Try for Free

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Open Source Linux Firewall IPFire 2.29 – Core Update 194 Released: What’s New!

IPFire, the powerful open-source firewall, has unveiled its latest release, IPFire 2.29 – Core Update…

3 hours ago

Threat Actors Leverage DDoS Attacks as Smokescreens for Data Theft

Distributed Denial of Service (DDoS) attacks, once seen as crude tools for disruption wielded by…

3 hours ago

20-Year-Old Proxy Botnet Network Dismantled After Exploiting 1,000 Unpatched Devices Each Week

A 20-year-old criminal proxy network has been disrupted through a joint operation involving Lumen’s Black…

4 hours ago

“PupkinStealer” – .NET Malware Steals Browser Data and Exfiltrates via Telegram

A new information-stealing malware dubbed “PupkinStealer” has emerged as a significant threat to individuals and…

4 hours ago

Phishing Campaign Uses Blob URLs to Bypass Email Security and Avoid Detection

Cybersecurity researchers at Cofense Intelligence have identified a sophisticated phishing tactic leveraging Blob URIs (Uniform…

4 hours ago

VMware Tools Vulnerability Allows Attackers to Modify Files and Launch Malicious Operations

Broadcom-owned VMware has released security patches addressing a moderate severity insecure file handling vulnerability in…

6 hours ago