Cyber Security News

UAT-5918 Hackers Exploit N-Day Vulnerabilities in Exposed Web and Application Servers

A recent cybersecurity threat, identified as UAT-5918, has been actively targeting entities in Taiwan, particularly those in critical infrastructure sectors such as telecommunications, healthcare, and information technology.

This advanced persistent threat (APT) group is believed to be motivated by establishing long-term access for information theft and credential harvesting.

UAT-5918 gains initial access by exploiting known vulnerabilities, or N-day vulnerabilities, in unpatched web and application servers exposed to the internet.

Post-Compromise Activities

Following successful exploitation, UAT-5918 conducts manual post-compromise activities focused on network reconnaissance and establishing persistence.

The group uses a variety of open-source tools, including web shells like the Chopper web shell, and networking tools such as FRPC, FScan, In-Swor, Earthworm, and Neo-reGeorg.

These tools enable the threat actor to move laterally within the compromised network, gather system information, and create new administrative user accounts.

Credential harvesting is a key tactic, employing tools like Mimikatz, LaZagne, and browser credential extractors to obtain local and domain-level user credentials.

UAT-5918 also uses tools like Impacket and WMIC for lateral movement via RDP and PowerShell remoting.

Overlaps with Other APT Groups

The tactics, techniques, and procedures (TTPs) of UAT-5918 show significant overlaps with other APT groups, including Volt Typhoon, Flax Typhoon, Earth Estries, and Dalbit.

According to Cisco Talos Report, these groups are known for targeting similar geographies and industry verticals, suggesting strategic alignment in their operations.

Victimology and targeted verticals

The use of tools like FRP, FScan, and In-Swor by UAT-5918 mirrors the tooling used by Tropic Trooper and Famous Sparrow.

However, some tools, such as LaZagne and SNetCracker, have not been publicly associated with these other groups, indicating possible exclusive use by UAT-5918.

To counter UAT-5918’s threats, organizations can employ various security measures.

Utilizing tools like Cisco Secure Endpoint can prevent malware execution, while Cisco Secure Email can block malicious emails.

Cisco Secure Firewall and Malware Analytics can detect and analyze malicious activity, providing comprehensive protection against such threats.

Implementing robust patch management to address N-day vulnerabilities is crucial in preventing initial access by UAT-5918 and similar APT groups.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup – Try for Free

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Attackers Exploit Microsoft Entra Billing Roles to Escalate Privileges in Organizational Environments

A startling discovery by BeyondTrust researchers has unveiled a critical vulnerability in Microsoft Entra ID…

19 hours ago

Threat Actors Exploit Google Apps Script to Host Phishing Sites

The Cofense Phishing Defense Center has uncovered a highly strategic phishing campaign that leverages Google…

20 hours ago

Dadsec Hacker Group Uses Tycoon2FA Infrastructure to Steal Office365 Credentials

Cybersecurity researchers from Trustwave’s Threat Intelligence Team have uncovered a large-scale phishing campaign orchestrated by…

20 hours ago

Beware: Weaponized AI Tool Installers Infect Devices with Ransomware

Cisco Talos has uncovered a series of malicious threats masquerading as legitimate AI tool installers,…

21 hours ago

Pure Crypter Uses Multiple Evasion Methods to Bypass Windows 11 24H2 Security Features

Pure Crypter, a well-known malware-as-a-service (MaaS) loader, has been recognized as a crucial tool for…

21 hours ago

Attackers Exploit Microsoft Entra Billing Roles to Escalate Privileges

A recent discovery by security researchers at BeyondTrust has revealed a critical, yet by-design, security…

21 hours ago