Web Hosting Firms in Taiwan Attacked by Chinese APT for Access to High-Value Targets

Web hosting entities in Taiwan have been in the crosshairs of a Chinese APT looking to establish long-term access to high-value targets, Cisco Talos reports.

Tracked as UAT-7237 and believed to be active since 2022, the threat actor is likely a division of the hacking group that Talos tracks as UAT-5918, which overlaps with Chinese APTs such as Volt Typhoon and Flax Typhoon.

According to Talos, however, UAT-7237’s use of Cobalt Strike, its deployment of web shells on select systems only, and its use of RDP access and of a legitimate VPN client suggest the APT represents a separate cluster of activity under the UAT-5918 umbrella.

During a recent intrusion at a web hosting provider in Taiwan, UAT-7237 was seen exploiting known vulnerabilities in internet-facing servers for initial access, conducting reconnaissance, and deploying the SoftEther VPN software for remote access.

For reconnaissance and lateral movement, the threat actor used ...