Taiwan Web Servers Breached by UAT-7237 Using Customized Open-Source Hacking Tools

What’s new: A Chinese-speaking advanced persistent threat (APT) group, identified as UAT-7237, has breached web servers in Taiwan using customized open-source hacking tools. This group has been active since at least 2022 and is linked to UAT-5918, which targets critical infrastructure. The attacks exploit known vulnerabilities in unpatched servers and utilize a bespoke shellcode loader named SoundBill to deploy secondary payloads like Cobalt Strike. UAT-7237 also employs SoftEther VPN for persistent access and has been observed making changes to Windows Registry settings to disable User Account Control (UAC).

Who’s affected

Web infrastructure entities in Taiwan are the primary targets of these attacks, particularly those with unpatched vulnerabilities exposed to the internet.

What to do

• Ensure all web servers are updated and patched against known vulnerabilities.
• Implement monitoring for unusual access patterns, especially involving RDP and VPN connections.
• Review and strengthen security configurations, including User Account Control settings.
• Consider deploying intrusion detection systems to identify and mitigate potential breaches.

Sources

• The Hacker News