Chinese Hackers Leverage Trimble Cityworks Vulnerability to Access U.S. Government Networks

May 22, 2025
Vulnerability / Threat Intelligence

A Chinese-speaking threat actor, identified as UAT-6382, has exploited a recently patched remote-code-execution vulnerability in Trimble Cityworks to deploy Cobalt Strike and VShell. According to an analysis by Cisco Talos researchers Asheer Malhotra and Brandon White, “UAT-6382 effectively targeted CVE-2025-0944, conducted reconnaissance, and quickly implemented various web shells and custom malware for sustained access.” Following their infiltration, UAT-6382 showed significant interest in systems related to utility management. Cisco Talos observed these attacks beginning in January 2025, specifically aimed at the enterprise networks of local government entities in the U.S. CVE-2025-0944, with a CVSS score of 8.6, pertains to a vulnerability in the GIS-focused asset management software that could allow for remote code execution. The flaw has been patched.

Chinese Hackers Exploit Trimble Cityworks Vulnerability to Gain Access to U.S. Government Networks

May 22, 2025

In a concerning cybersecurity development, a group of Chinese-speaking hackers identified as UAT-6382 has been implicated in exploiting a recently patched vulnerability in Trimble Cityworks. This flaw enabled the group to execute remote code and deploy sophisticated malware, including Cobalt Strike and VShell, into U.S. government networks.

According to a recent analysis from Cisco Talos researchers Asheer Malhotra and Brandon White, UAT-6382 successfully leveraged CVE-2025-0944, a vulnerability rated 8.6 on the CVSS scale, which pertains to the deserialization of untrusted data within the GIS-focused asset management platform. Following their intrusion, the group engaged in extensive reconnaissance activities and established persistent access through a variety of web shells and custom malware, demonstrating a systematic approach to maintaining control over compromised systems.

The attacks, which have primarily targeted enterprise networks belonging to local government entities across the United States, began to surface in January 2025. The interest of UAT-6382 appears to focus on systems involved in utility management, raising alarms about the potential risks to critical infrastructure.

CVE-2025-0944 has been patched, but the exploit underscores the ongoing vulnerabilities faced by software used by government entities. The ability to execute remote code from what should be secure applications reveals a significant gap in cybersecurity resilience, warranting urgent attention from IT departments and cybersecurity professionals alike.

Engaging with the tactics employed by UAT-6382, one can refer to the MITRE ATT&CK framework, which suggests that the primary means of initial access for the attackers likely involved exploiting the aforementioned vulnerability. The use of reconnaissance techniques followed by establishing persistence demonstrates a calculated strategy to maintain access over time.

Privilege escalation techniques could also be inferred, given the group’s intent on pivoting to sensitive systems critical for utility management. Such maneuvers are typical within advanced persistent threat (APT) operations, where cyber actors seek to leverage one compromised node to infiltrate deeper layers of an organization’s network structure.

As the cybersecurity landscape continues to evolve, incidents like these serve as a reminder of the persistent threats targeting governmental and critical infrastructure systems. Business owners are encouraged to remain vigilant, ensuring that all software dependencies are regularly updated and that their cybersecurity frameworks are robust enough to withstand attempted breaches of this nature.

Source link

Related Posts

Urgent Vulnerability in Windows Server 2025 dMSA Poses Risk of Active Directory Breach

May 22, 2025
Cybersecurity / Vulnerability

A critical privilege escalation flaw has been identified in Windows Server 2025, allowing attackers to compromise any user within Active Directory (AD). According to Akamai security researcher Yuval Gordon, the vulnerability exploits the Delegated Managed Service Account (dMSA) feature introduced in Windows Server 2025. This attack can be executed easily with the default configuration, posing a significant threat to organizations relying on AD. “In 91% of the environments we examined, users outside of the domain admin group possessed the necessary permissions to carry out this attack,” Gordon noted in a report shared with The Hacker News. The vulnerability takes advantage of the dMSA feature designed to facilitate migration from legacy service accounts and intended to mitigate Kerberoasting attacks. The attack technique has been dubbed “BadSuccessor” by the researchers.

251 Amazon-Hosted IP Addresses Target ColdFusion, Struts, and Elasticsearch in Exploit Scanning Campaign

May 28, 2025
Network Security / Vulnerability

Cybersecurity researchers have revealed coordinated cloud-based scanning activities that targeted 75 unique “exposure points” earlier this month. Observed by GreyNoise on May 8, 2025, this activity involved up to 251 malicious IP addresses geolocated in Japan and hosted by Amazon. The threat intelligence firm reported that these IPs exhibited 75 distinct behaviors, including CVE exploits, misconfiguration probes, and reconnaissance activities. Notably, the IPs remained inactive before and after this surge, suggesting they were temporarily rented for a single operation. The scanning efforts targeted various technologies, including Adobe ColdFusion, Apache Struts, Apache Tomcat, Drupal, Elasticsearch, and Oracle WebLogic. This opportunistic operation included attempts to exploit known CVEs and probes for misconfigurations, highlighting the threat actors’ intent to identify weaknesses in web infrastructure.

Mimo Hackers Exploit CVE-2025-32432 in Craft CMS to Deploy Cryptocurrency Miners and Proxyware

Date: May 28, 2025
Categories: Cryptojacking / Vulnerability

A financially motivated threat actor has been observed exploiting a recently disclosed remote code execution vulnerability in the Craft Content Management System (CMS). This flaw has been leveraged to deploy multiple payloads, including a cryptocurrency miner, a loader known as Mimo Loader, and residential proxyware. The vulnerability, identified as CVE-2025-32432, is a high-severity issue in Craft CMS that was patched in versions 3.9.15, 4.14.15, and 5.6.17. The security defect was first revealed in April 2025 by Orange Cyberdefense SensePost after it was linked to attacks that occurred earlier in February. According to a recent report from Sekoia, the attackers have weaponized CVE-2025-32432 to gain unauthorized access to targeted systems and deploy a web shell for persistent remote control. This web shell is utilized to download and execute a shell script (“4l4md4r.sh”) from a remote server using tools such as curl, wget, or the Python library urllib2.

Microsoft OneDrive File Picker Vulnerability Allows Full Access to Cloud Storage When Uploading a Single File

May 28, 2025
Data Privacy / Vulnerability

Cybersecurity researchers have identified a serious security flaw in Microsoft’s OneDrive File Picker. If exploited, this vulnerability could enable websites to gain access to a user’s entire cloud storage, rather than just the files intended for upload. According to the Oasis Research Team’s report to The Hacker News, the issue arises from overly broad OAuth scopes and unclear consent screens that do not adequately communicate the level of access being granted. This flaw poses significant risks, including potential customer data leaks and violations of compliance regulations. Affected applications may include ChatGPT, Slack, Trello, and ClickUp, all of which integrate with Microsoft’s cloud service. The core of the problem lies in the excessive permissions required by the OneDrive File Picker, which requests read access to the entire drive, even when only a single file is selected for upload, due to a lack of fine-grained permission controls.