Chinese hackers are targeting web hosting firms - here's what we know

News
By published

A web hosting company in Taiwan was recently targeted

China
(Image credit: Shutterstock)
  • Cisco Talos spotted a new threat actor, tracked as UAT-7237
  • The group resembles the "typhoon" Chinese state-sponsored groups
  • It targeted web hosting firms in Taiwan

Chinese hacking groups are now targeting web hosting companies in Taiwan, researchers are saying.

Security experts from Cisco Talos said they spotted a never-before-seen group that focuses on “establishing long-term persistence in web infrastructure entities in Taiwan.”

They are tracking the miscreants under the moniker UAT-7237, and believe it to be a subgroup of UAT-5918, meaning it is still a distinct entity, and most likely a state-sponsored one, at that. While Talos does not explicitly say it, it does say that the tools the threat actors are using are quite similar to different “typhoon” hackers which are known to be state-sponsored.

Living off the land

Most of the tools are open source and somewhat customized, with a custom Shellcode loader known as “SoundBill” particularly standing out.

The group uses Cobalt Strike beacons, is quite picky with its web shells, and relies on a combination of direct remote desktop protocol (RDP) access and SoftEther VPN clients.

Talos recently observed the group breaching a Taiwanese hosting provider, and being “particularly interested” in gaining access to the victim organization’s VPN and cloud infrastructure.

“UAT-7237 used open-source and customized tooling to perform several malicious operations in the enterprise, including reconnaissance, credential extraction, deploying bespoke malware, setting up backdoored access via VPN clients, network scanning and proliferation,” the researchers explained.

For initial access, UAT-7237 exploited known vulnerabilities on unpatched servers exposed to the internet. This technique is also common for other state-sponsored groups, such as Volt Typhoon and Flax Typhoon, who usually exploit unpatched VPN appliances, firewalls, and email servers. In some cases, they abuse valid credentials for VPN, RDP, and cloud accounts.

While they occasionally drop lightweight web shells or custom loaders, their preference is to blend into normal network activity and establish persistence through compromised infrastructure rather than phishing or malware.

Via Infosecurity Magazine

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.