A recent cybersecurity threat, known as UAT-5918, has been actively targeting entities in Taiwan, focusing on critical infrastructure sectors like telecommunications, healthcare, and information technology. This advanced persistent threat (APT) group aims to gain long-term access for information theft and credential harvesting.
UAT-5918 gains initial access by exploiting known vulnerabilities, including N-day vulnerabilities, in unpatched web and application servers that are exposed to the internet. Once inside the target network, the group conducts manual post-compromise activities such as network reconnaissance and establishing persistence. They use various open-source tools like the Chopper web shell, FRPC, FScan, In-Swor, Earthworm, and Neo-reGeorg to move laterally within the compromised network, gather system information, and create new administrative user accounts.
Credential harvesting is a crucial tactic employed by UAT-5918, utilizing tools like Mimikatz, LaZagne, and browser credential extractors to obtain local and domain-level user credentials. Additionally, the group uses tools like Impacket and WMIC for lateral movement via RDP and PowerShell remoting.
The tactics, techniques, and procedures (TTPs) of UAT-5918 show significant overlaps with other APT groups like Volt Typhoon, Flax Typhoon, Earth Estries, and Dalbit. According to a report by Cisco Talos, these groups target similar geographies and industry verticals, indicating strategic alignment in their operations.
While some tools used by UAT-5918 overlap with other APT groups, tools like LaZagne and SNetCracker have not been publicly associated with these groups, suggesting exclusive use by UAT-5918. To mitigate the threats posed by UAT-5918, organizations can implement various security measures. Utilizing tools like Cisco Secure Endpoint can prevent malware execution, while Cisco Secure Email can block malicious emails. Cisco Secure Firewall and Malware Analytics are effective in detecting and analyzing malicious activity, offering comprehensive protection against such threats.
Implementing robust patch management to address N-day vulnerabilities is crucial in preventing initial access by UAT-5918 and similar APT groups. By staying proactive and vigilant, organizations can enhance their cybersecurity posture and defend against evolving threats in cyberspace.