Chinese Hackers Target Unpatched Servers in Taiwan

Researchers have reported a significant cyberespionage operation targeting Taiwan’s critical infrastructure, attributed to hackers affiliated with Chinese cyber groups. These threat actors are exploiting unpatched web and application servers as vulnerable entry points to infiltrate networks.

According to Cisco Talos, a new adversary identified as UAT-5918 has been active in this region since at least 2023. This group exhibits similar tactics to state-sponsored actors such as Volt Typhoon and Flax Typhoon, focusing on key sectors including information technology, telecommunications, healthcare, and academia as part of their operations.

The approach utilized by UAT-5918 involves the compromise of N-day vulnerabilities in unpatched servers, enabling them to deploy open-source tools to conduct reconnaissance, document system configurations, and expand their access across the network. To ensure persistence, they implement fast reverse proxy techniques and use Neo-reGeorg to establish tunnels for remote control over compromised endpoints.

Credential harvesting plays a crucial role in UAT-5918’s strategy. The group employs a suite of tools such as Mimikatz, LaZagne, and BrowserDataLite to extract sensitive login details and strengthen their foothold in the compromised environments. Additionally, they use methods such as Remote Desktop Protocol (RDP), Windows Management Instrumentation Command-line (WMIC), and Impacket for expanded infiltration.

Among the malicious tools deployed are the Chopper web shell, Crowdoor, and SparrowDoor—some of which have been previously linked to the Earth Estries group. Notably, BrowserDataLite serves a specific purpose: to harvest login credentials, cookies, and browsing histories directly from web browsers while engaging in systematic data exfiltration from local and shared drives.

In January, the FBI took action to dismantle aspects of the Volt Typhoon operation, which was similarly focused on infiltrating critical infrastructure in the United States and Guam. This operation included efforts to disable malicious web shells implanted on vulnerable devices, highlighting the ongoing threat posed by these cyber actors.

Recent congressional inquiries by the House Homeland Security Committee have raised concerns regarding the federal government’s responses to intrusions connected with Volt Typhoon and Salt Typhoon, particularly regarding transparency and the pace of addressing these national security threats.

According to findings by Cisco Talos, the activities of UAT-5918 suggest that the focus of their post-compromise efforts is primarily on information theft, underscoring the expansive risks posed by such sophisticated cyber threats to critical infrastructure.