1. Forum
  2. tqwNet
  3. TQW GENTECH

  • Chinese hackers are targeting web hosting firms - here's what we

    From TechnologyDaily@1337:1/100 to All on Tuesday, August 19, 2025 14:45:09
    Chinese hackers are targeting web hosting firms - here's what we know

    Date:
    Tue, 19 Aug 2025 13:34:00 +0000

    Description:
    A web hosting company in Taiwan was recently targeted by what appears to be a Chinese state-sponsored actor.

    FULL STORY ======================================================================Cisco Talos spotted a new threat actor, tracked as UAT-7237 The group resembles the "typhoon" Chinese state-sponsored groups It targeted web hosting firms in Taiwan

    Chinese hacking groups are now targeting web hosting companies in Taiwan, researchers are saying.

    Security experts from Cisco Talos said they spotted a never-before-seen group that focuses on establishing long-term persistence in web infrastructure entities in Taiwan.

    They are tracking the miscreants under the moniker UAT-7237, and believe it
    to be a subgroup of UAT-5918, meaning it is still a distinct entity, and most likely a state-sponsored one, at that. While Talos does not explicitly say
    it, it does say that the tools the threat actors are using are quite similar to different typhoon hackers which are known to be state-sponsored. Living
    off the land

    Most of the tools are open source and somewhat customized, with a custom Shellcode loader known as SoundBill particularly standing out.

    The group uses Cobalt Strike beacons, is quite picky with its web shells, and relies on a combination of direct remote desktop protocol (RDP) access and SoftEther VPN clients.

    Talos recently observed the group breaching a Taiwanese hosting provider ,
    and being particularly interested in gaining access to the victim organizations VPN and cloud infrastructure.

    UAT-7237 used open-source and customized tooling to perform several malicious operations in the enterprise, including reconnaissance, credential
    extraction, deploying bespoke malware , setting up backdoored access via VPN clients, network scanning and proliferation, the researchers explained.

    For initial access, UAT-7237 exploited known vulnerabilities on unpatched servers exposed to the internet. This technique is also common for other state-sponsored groups, such as Volt Typhoon and Flax Typhoon, who usually exploit unpatched VPN appliances, firewalls, and email servers. In some
    cases, they abuse valid credentials for VPN, RDP, and cloud accounts.

    While they occasionally drop lightweight web shells or custom loaders, their preference is to blend into normal network activity and establish persistence through compromised infrastructure rather than phishing or malware.

    Via Infosecurity Magazine You might also like NSA says Volt Typhoon was not successful at persisting in critical infrastructure Take a look at our guide to the best authenticator app We've rounded up the best password managers



    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/chinese-hackers-are-targeting-web-hosti ng-firms-heres-what-we-know


    --- Mystic BBS v1.12 A49 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)