Ethical Hacking News
UAT-5918 Targets Critical Infrastructure with Web Shells and Open-Source Tools - Read More on The Hacker News
UAT-5918 is a newly discovered threat actor targeting critical infrastructure in Taiwan.The group uses web shells and open-sourced tooling to conduct post-compromise activities, including network reconnaissance and information theft.UAT-5918's attack patterns show tactical overlaps with several Chinese hacking crews, indicating its sophistication level.The group is assessed as an advanced persistent threat (APT) looking to establish long-term access in victim environments.UAT-5918 uses tools like Mimikatz and BrowserDataLite to harvest credentials and pilfer login information.
Threat actors have been making headlines for their sophisticated attacks on critical infrastructure entities, and the latest target of this threat actor is Taiwan. According to a recent report by Cisco Talos researchers, UAT-5918 has been targeting critical infrastructure in Taiwan since at least 2023.
This newly discovered threat actor is believed to be motivated by establishing long-term access for information theft, using a combination of web shells and open-sourced tooling to conduct post-compromise activities. The attack chains orchestrated by the group involve obtaining initial access by exploiting N-day security flaws in unpatched web and application servers exposed to the internet. The foothold is then used to drop several open-source tools to conduct network reconnaissance, system information gathering, and lateral movement.
UAT-5918's post-exploitation tradecraft involves the use of Fast Reverse Proxy (FRP) and Neo-reGeorge to set up reverse proxy tunnels for accessing compromised endpoints via attacker-controlled remote hosts. The threat actor has also been leveraging tools like Mimikatz, LaZagne, and a browser-based extractor dubbed BrowserDataLite to harvest credentials.
BrowserDataLite is designed to pilfer login information, cookies, and browsing history from web browsers. The activity that UAT-5918 monitored suggests that the post-compromise activity is done manually with the main goal being information theft. Evidently, it also includes deployment of web shells across any discovered sub-domains and internet-accessible servers to open multiple points of entry to the victim organizations.
UAT-5918 has been targeting critical infrastructure, but some other targeted verticals include information technology, telecommunications, academia, and healthcare. The group is assessed to be an advanced persistent threat (APT) looking to establish long-term persistent access in victim environments.
The attack patterns orchestrated by UAT-5918 show tactical overlaps with several Chinese hacking crews tracked as Volt Typhoon, Flax Typhoon, Tropic Trooper, Earth Estries, and Dalbit. This indicates that UAT-5918 is likely a sophisticated threat actor that should be taken seriously by organizations in Taiwan.
The attack chains conducted by UAT-5918 are highly indicative of the sophistication level required to carry out such attacks. The use of open-sourced tooling and web shells to conduct post-compromise activities makes it challenging for security teams to detect these attacks in a timely manner.
In conclusion, UAT-5918 is a new threat actor that has been targeting critical infrastructure entities in Taiwan with web shells and open-source tools. Their attack patterns show tactical overlaps with several Chinese hacking crews, indicating the sophistication level required to carry out such attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Threat-Actor-UAT-5918-Targets-Critical-Infrastructure-with-Web-Shells-and-Open-Source-Tools-ehn.shtml
https://thehackernews.com/2025/03/uat-5918-targets-taiwans-critical.html
Published: Fri Mar 21 10:33:03 2025 by llama3.2 3B Q4_K_M
