Cyber Criminal Collective from China Hacks into Taiwanese Web Hosting Companies
A Chinese advanced persistent threat (APT) group, identified as UAT-7237, has been actively targeting web infrastructure providers in Taiwan since at least 2022. According to a report by Cisco Talos, this group has shown a particular interest in gaining access to victim organizations' VPN and cloud infrastructure.
UAT-7237 is known for its use of various tools, many of which are open-sourced. One such tool is a customised Shellcode loader, known as 'SoundBill', written in Chinese. This loader decodes a file on disk named "ptiti.txt" and executes the resulting shellcode. SoundBill is compatible with loading any shellcode, including Cobalt Strike, which the group uses to establish long-term access for information stealing.
The group exploits known vulnerabilities on unpatched servers exposed to the internet for initial access. Once inside, they use network scanning tools such as Fscan to identify open ports against IP subnets. UAT-7237 also employs JuicyPotato, a privilege escalation tool popular with Chinese-speaking threat actors, to execute multiple commands on endpoints.
As soon as accessible systems are found, UAT-7237 conducts additional reconnaissance to pivot to them using credentials the group has previously extracted. This enables lateral movement within the victim organization. The actor deploys credential extracting tooling, predominantly Mimikatz, to steal credentials from infected endpoints.
UAT-7237 is assessed with high confidence to be a distinct Chinese APT group due to significant deviations in tactics, techniques, and procedures (TTPs) compared to UAT-5918. However, it is likely a subgroup of UAT-5918, a Chinese-speaking threat actor previously observed conducting espionage operations against organizations in Taiwan.
The focus of UAT-7237 is on long-term access and data theft. They have been using the SoftEther VPN client over a two-year period in a compromised web hosting provider. In 2024, a report by ESET identified that Chinese APT group Evasive Panda was using a sophisticated toolset named CloudScout to extract cloud-based data from Taiwanese organizations. It is unclear if there is a connection between UAT-7237 and Evasive Panda.
The Taiwan National Security Bureau has reported a significant rise in cyber-attacks targeting critical infrastructure in Taiwan in 2024, primarily attributed to Chinese state-backed hackers. Chinese-made apps widely used in the Taiwanese population also pose significant cybersecurity risks, according to the bureau.
As the cyber threat landscape continues to evolve, it is crucial for organizations to stay vigilant and implement robust security measures to protect against such threats.
