- Cisco Talos spotted a new threat player, followed like Uat-7237
- The group resembles the “typhoon” groups sponsored by the Chinese state
- He targeted web hosting companies in Taiwan
Chinese hacking groups are now targeting web hosting companies in Taiwan, the researchers say.
Cisco Talos security experts said they had spotted an never seen group that focuses on “long -term persistence establishment in web infrastructure entities”.
They follow the disbelievers under the nickname UAT-7237, and believe that it is a subgroup of UAT-5918, which means that it is still a distinct entity, and most likely an entity sponsored by the State, to this. Although Talos does not say it explicitly, he says that the tools that threat actors use are quite similar to different pirates of “typhoon” who are known to be sponsored by the state.
Live
Most tools are open source and somewhat personalized, with a personalized shellcode charger known as “soundbill” particularly standing out.
The group uses cobalt striking tags, is quite difficult with its web shells and relies on a combination of Distant Divontre office VPN customers (RDP) and sweet VPN customers.
Talos recently observed that the group raped a Taiwanese accommodation supplier and was “particularly interested” to have access to the VPN and the cloud infrastructure of the victim organization.
“The UAT-7237 has used open source and personalized tools to carry out several malicious operations in the company, including recognition, extraction of identification information, the deployment of tailor-made malware, the implementation of rear access via VPN customers, network digitization and proliferation,” explained researchers.
For initial access, the UAT-7237 has exploited the known vulnerabilities on uncharted servers exposed to the Internet. This technique is also common for other groups sponsored by the state, such as Volt Typhoon and Laps Typhoon, which generally operates unlikely VPN devices, firewalls and email servers. In some cases, they abuse valid identification information for VPN, RDP and Cloud accounts.
Although they occasionally deposit light web shells or personalized chargers, their preference is to blend into a normal network activity and establish persistence by compromised infrastructure rather than phishing or malware.
Via Infosecurity magazine
