Cisco Talos discovered a malicious campaign tracked under the UAT-5918 umbrella, which has been active since at least 2023. The UAT-5918 hacker is believed to be motivated by the goal of establishing long-term access for information theft, using a combination of web shells and open-source tools to conduct post-compromise activities, with the aim to establish persistence in victim environments for information theft and credential harvesting. It is assessed that UAT-5918’s post-compromise activities, tactics, techniques, and procedures (TTPs), as well as its victimology, overlap the most with the intrusions of Volt Typhoon, Flax Typhoon, Earth Estries, and Dalbit observed in the past.
As an advanced persistent threat (APT) group that targets entities in Taiwan to establish long-term persistent access in victim environments, UAT-5918 usually obtains initial access by exploiting N-day vulnerabilities in unpatched web and application servers exposed to the internet. The threat actor will subsequently use various open-source tools for network reconnaissance to move through the compromised enterprise. UAT-5918 overlaps with the other APT groups in terms of targeted geographies and industry verticals, indicating that this threat actor’s operations align with the strategic goals of the threat actors.
“The activity that we monitored suggests that the post-compromise activity is done manually with the main goal being information theft,” Jung soo An, Asheer Malhotra, Brandon White, and Vitor Ventura, Cisco Talos researchers wrote in a Thursday blog post. “Evidently, it also includes deployment of web shells across any discovered sub-domains and internet-accessible servers to open multiple points of entry to the victim organizations. UAT-5918’s intrusions harvest credentials to obtain local and domain level user credentials and the creation of new administrative user accounts to facilitate additional channels of access, such as RDP to endpoints of significance to the threat actor.”
They added that the typical tooling used by UAT-5918 includes networking tools such as FRPC, FScan, In-Swor, Earthworm, and Neo-reGeorg. “Credential harvesting is accomplished by dumping registry hives, NTDS, and using tools such as Mimikatz and browser credential extractors. These credentials are then used to perform lateral movement via either RDP, WMIC (PowerShell remoting), or Impacket.”
The researchers noted “We have primarily observed targeting of entities in Taiwan by UAT-5918 in industry verticals such as telecommunications, healthcare, information technology, and other critical infrastructure sectors. Similar verticals and geographies have also been targeted by APT groups such as Volt Typhoon, Flax Typhoon, Earth Estries, Tropic Trooper, and Dalbit.”
Cisco Talos identified a significant overlap in post-compromise tooling and TTPs with Volt Typhoon, such as using ping and tools like In-Swor for network discovery; gathering system information such as drive and partition; gathering logical drive information such as names, IDs, size, and free spaces; credential dumping from web browser applications; using open-source tools such as frp, Earthworm, and Impacket for establishing control channels; and the absence of custom-made malware. The U.S. government assesses that Volt Typhoon is a PRC state-sponsored actor conducting cyberattacks against U.S. critical infrastructure.
“Multiple tools used in this intrusion also overlap with tooling used by Flax Typhoon in the past, such as the Chopper web shell, Mimikatz, JuicyPotato, Metasploit, WMIC and PowerShell, along with the use of tactics such as relying on RDP and other web shells to persist in the enterprise and WMIC for gathering system information,” the researchers observed. “The U.S. government attributes Flax Typhoon, a Chinese government-sponsored threat actor, to the Integrity Technology Group, a PRC-based company.”
In August 2023, Microsoft researchers detailed Flax Typhoon targeting dozens of organizations in Taiwan with the likely intention of performing espionage. Flax Typhoon gains and maintains long-term access to Taiwanese organizations’ networks with minimal use of malware, relying on tools built into the operating system, along with some usually benign software to quietly remain in these networks.
Additionally, tooling such as FRP, FScan, In-Swor, and Neo-reGeorg, as well as filepaths and names used by UAT-5918, overlap with those used by Tropic Trooper. Tropic Trooper’s malware suite, specifically Crowdoor Loader and SparrowDoor, overlap with the threat actors known as Famous Sparrow and Earth Estries.
Furthermore, the researchers have also observed overlaps in tooling and tactics used in this campaign operated by UAT-5918 and in operations conducted by Earth Estries, including the use of FRP, FScan, Webshells, Impacket, living-off-the-land binaries (LoLBins), etc. They have discovered similar tooling between UAT-5918 and Dalbit consisting of port scanners, proxying tools, reverse shells, and reconnaissance TTPs.
“It is worth noting that a sub-set of tools UAT-5918 uses such as LaZagne, SNetCracker, PortBrute, NetSpy etc., have not been seen being used by the aforementioned threat actors in public reporting,” the post added. “It is highly likely that this tooling might be exclusively used by UAT-5918 or their usage by other related groups may have been omitted in publicly available disclosures.”
UAT-5918 typically gains initial access to their victims via exploitation of known vulnerabilities on unpatched servers exposed to the internet. Activity following a successful compromise consists of preliminary reconnaissance to identify users, domains, and gather system information. Initial credential reconnaissance is carried out using the ‘cmdkey’ command. The threat actor then proceeds to download and place publicly available red-teaming tools on endpoints to carry out further actions. In some cases, UAT-5918 also disabled Microsoft Defender’s scanning of their working directories on disk.
Cisco Talos detailed that the threat actor uses two utilities for monitoring the current connection to the compromised hosts — NirSoft’s CurrPorts utility and TCPView. Both tools are likely used to perform additional network discovery to find accessible hosts to pivot to. “The threat actor also uses PowerShell-based scripts to attempt SMB logins to specific endpoints already identified.”
The researchers found that credential harvesting is another key tactic in UAT-5918 intrusions, instrumented via the use of tools such as Mimikatz, LaZagne, and browser credential stealers. They also consistently attempt to gain access to additional endpoints within the enterprise. They will perform network reconnaissance cyclically to discover new endpoints worth pivoting to and make attempts to gain access via RDP or Impacket.
“UAT-5918 pivots across endpoints enumerating local and shared drives to find data of interest to the threat actor,” the Talos researchers identified. “This data may include everything that furthers the APT’s strategic and tactical goals and ranges from confidential documents, DB exports and backups to application configuration files. In one instance, the threat actor used the SQLCMD[.]exe utility to create a database backup that could be exfiltrated.”
Last month, Cisco Talos researchers disclosed that having tracked reports of extensive intrusion activities targeting several U.S. telecommunications firms, they have investigated to date initial access to Cisco devices was determined to be gained through the threat actor obtaining legitimate victim login credentials. The threat actor then demonstrated their ability to persist in target environments across equipment from multiple vendors for extended periods, maintaining access in one instance for over three years.
