UAT-5918 Hackers Exploit N-Day Vulnerabilities in Exposed Web and Application Servers

A recent cybersecurity threat, identified as UAT-5918, has been actively targeting entities in Taiwan, particularly those in critical infrastructure sectors such as telecommunications, healthcare, and information technology.

This advanced persistent threat (APT) group is believed to be motivated by establishing long-term access for information theft and credential harvesting.

UAT-5918 gains initial access by exploiting known vulnerabilities, or N-day vulnerabilities, in unpatched web and application servers exposed to the internet.

Post-Compromise Activities

Following successful exploitation, UAT-5918 conducts manual post-compromise activities focused on network reconnaissance and establishing persistence.

The group uses a variety of open-source tools, including web shells like the Chopper web shell, and networking tools such as FRPC, FScan, In-Swor, Earthworm, and Neo-reGeorg.

These tools enable the threat actor to move laterally within the compromised network, gather system information, and create new administrative user accounts.

Credential harvesting is a key tactic, employing tools like Mimikatz, LaZagne, and browser credential extractors to obtain local and domain-level user credentials.

UAT-5918 also uses tools like Impacket and WMIC for lateral movement via RDP and PowerShell remoting.

Overlaps with Other APT Groups

The tactics, techniques, and procedures (TTPs) of UAT-5918 show significant overlaps with other APT groups, including Volt Typhoon, Flax Typhoon, Earth Estries, and Dalbit.

According to Cisco Talos Report, these groups are known for targeting similar geographies and industry verticals, suggesting strategic alignment in their operations.

The use of tools like FRP, FScan, and In-Swor by UAT-5918 mirrors the tooling used by Tropic Trooper and Famous Sparrow.

However, some tools, such as LaZagne and SNetCracker, have not been publicly associated with these other groups, indicating possible exclusive use by UAT-5918.

To counter UAT-5918’s threats, organizations can employ various security measures.

Utilizing tools like Cisco Secure Endpoint can prevent malware execution, while Cisco Secure Email can block malicious emails.

Cisco Secure Firewall and Malware Analytics can detect and analyze malicious activity, providing comprehensive protection against such threats.

Implementing robust patch management to address N-day vulnerabilities is crucial in preventing initial access by UAT-5918 and similar APT groups.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup – Try for Free