1. Forum
  2. Fidonet
  3. CONSPRCY

  • Chinese hackers are targe

    From Mike Powell@1:2320/105 to All on Tue Aug 19 09:56:52 2025
    Chinese hackers are targeting web hosting firms - here's what we know

    Date:
    Tue, 19 Aug 2025 13:34:00 +0000

    Description:
    A web hosting company in Taiwan was recently targeted by what appears to be a Chinese state-sponsored actor.

    FULL STORY

    Chinese hacking groups are now targeting web hosting companies in Taiwan, researchers are saying.

    Security experts from Cisco Talos said they spotted a never-before-seen group that focuses on establishing long-term persistence in web infrastructure entities in Taiwan.

    They are tracking the miscreants under the moniker UAT-7237, and believe it
    to be a subgroup of UAT-5918, meaning it is still a distinct entity, and most likely a state-sponsored one, at that. While Talos does not explicitly say
    it, it does say that the tools the threat actors are using are quite similar
    to different typhoon hackers which are known to be state-sponsored.

    Living off the land

    Most of the tools are open source and somewhat customized, with a custom Shellcode loader known as SoundBill particularly standing out.

    The group uses Cobalt Strike beacons, is quite picky with its web shells, and relies on a combination of direct remote desktop protocol (RDP) access and SoftEther VPN clients.

    Talos recently observed the group breaching a Taiwanese hosting provider ,
    and being particularly interested in gaining access to the victim
    organizations VPN and cloud infrastructure.

    UAT-7237 used open-source and customized tooling to perform several malicious operations in the enterprise, including reconnaissance, credential
    extraction, deploying bespoke malware , setting up backdoored access via VPN clients, network scanning and proliferation, the researchers explained.

    For initial access, UAT-7237 exploited known vulnerabilities on unpatched servers exposed to the internet. This technique is also common for other state-sponsored groups, such as Volt Typhoon and Flax Typhoon, who usually exploit unpatched VPN appliances, firewalls, and email servers. In some
    cases, they abuse valid credentials for VPN, RDP, and cloud accounts.

    While they occasionally drop lightweight web shells or custom loaders, their preference is to blend into normal network activity and establish persistence through compromised infrastructure rather than phishing or malware.

    Via Infosecurity Magazine

    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/chinese-hackers-are-targeting-web-hosti ng-firms-heres-what-we-know

    $$
    --- SBBSecho 3.28-Linux
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)