Web Hosting Firms in Taiwan Attacked by Chinese APT for Access to High-Value Targets

Tracked as UAT-7237 and believed to be active since 2022, the threat actor is likely a division of the hacking group that Talos tracks as UAT-5918, which overlaps with Chinese APTs such as Volt Typhoon and Flax Typhoon. According to Talos, UAT-7237’s use of Cobalt Strike, its deployment of web shells on select systems only, and its use of RDP access and of a legitimate VPN client suggest the APT represents a separate cluster of activity under the UAT-5918 umbrella. During a recent intrusion at a web hosting provider in Taiwan, UAT-7237 was seen exploiting known vulnerabilities in internet-facing servers for initial access, conducting reconnaissance, and deploying the SoftEther VPN software for remote access.

To read the complete article see: Security Week

😊