Cisco Talos has identified a malicious campaign, tracked under the designation UAT-5918, which has been active since at least 2023.
This threat actor is believed to be motivated by establishing long-term access for information theft, primarily targeting entities in Taiwan.
UAT-5918 exploits N-day vulnerabilities in unpatched web and application servers exposed to the internet to gain initial access.
Following successful compromise, the threat actor employs a range of open-source tools for network reconnaissance and persistence in victim environments.
Tactics and Techniques
UAT-5918’s post-compromise activities involve manual operations focused on information theft.
The threat actor deploys web shells across discovered sub-domains and internet-accessible servers, creating multiple entry points into victim organizations.
Credential harvesting is a key tactic, involving tools like Mimikatz and browser credential extractors to obtain local and domain-level user credentials.
New administrative user accounts are created to facilitate additional access channels, such as Remote Desktop Protocol (RDP) connections to significant endpoints.
UAT-5918 uses networking tools like FRPC, FScan, In-Swor, Earthworm, and Neo-reGeorg for establishing control channels and conducting network reconnaissance.
The threat actor’s tooling and tactics, techniques, and procedures (TTPs) overlap significantly with those of other APT groups, including Volt Typhoon, Flax Typhoon, and Dalbit.
According to the Report, these overlaps suggest strategic alignment with these groups, which have targeted similar geographies and industry verticals, such as telecommunications, healthcare, and critical infrastructure sectors in Taiwan.
UAT-5918’s use of tools like FRP, FScan, and In-Swor also aligns with Tropic Trooper’s operations, further indicating a shared operational landscape among these threat actors.
Mitigation and Detection
To counter UAT-5918’s threats, organizations can leverage security solutions such as Cisco Secure Endpoint, which can prevent the execution of malware associated with this campaign.
Additionally, Cisco Secure Email and Cisco Secure Firewall can block malicious emails and detect malicious activity, respectively.
Implementing robust patch management to address N-day vulnerabilities is crucial to preventing initial access by UAT-5918.
Continuous network monitoring and the use of tools like Umbrella to block malicious domains and IPs can also enhance security posture against such threats.
.webp?w=1200&resize=1200,0&ssl=1&description=Cisco Talos has identified a malicious campaign, tracked under the designation UAT-5918, which has been active since at least 2023.){kind=link}