A newly identified threat actor, designated as UAT-5918, has reportedly targeted critical infrastructure in Taiwan since at least 2023. This group is suspected of aiming to establish long-term access to gather sensitive information, employing various tactics such as web shells and open-source tools for post-compromise activities, according to research by Cisco Talos analysts Jungsoo An, Asheer Malhotra, Brandon White, and Vitor Ventura.
UAT-5918’s operations extend beyond critical infrastructure, affecting sectors including information technology, telecommunications, academia, and healthcare. This group’s modus operandi suggests it is categorized as an advanced persistent threat (APT), intending to maintain persistent access to victim environments. Their tactics exhibit similarities to several Chinese hacking groups known as Volt Typhoon, Flax Typhoon, and others.
The attack strategies deployed by UAT-5918 involve exploiting unpatched vulnerabilities in publicly exposed web and application servers to gain initial access. Once inside, the actors drop multiple open-source tools to carry out tasks like network reconnaissance and lateral movement within the targeted networks.
Following exploitation, UAT-5918 utilizes techniques involving Fast Reverse Proxy (FRP) and Neo-reGeorge to establish reverse proxy tunnels, facilitating access to compromised endpoints via remote servers under their control. Tools such as Mimikatz and a browser-based credential harvester named BrowserDataLite enable the threat actors to extract sensitive information, enhancing their foothold within the victims’ systems.
BrowserDataLite is particularly notable for its capacity to extract login credentials, cookies, and browsing history from various web browsers. Furthermore, the threat actor systematically collects data of interest from local and network drives, thereby deepening their infiltration and information theft operations.
Researchers have noted that the observed activities suggest manual execution of post-compromise actions aimed at information theft. This includes deploying web shells across any discovered subdomains and internet-accessible servers, creating multiple entry points into the targeted organizations.
