TZUTC: -0500   
   MSGID: 1384.consprcy@1:2320/105 2d09cc1c   
   PID: Synchronet 3.21a-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   TID: SBBSecho 3.28-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   BBSID: CAPCITY2   
   CHRS: ASCII 1   
   FORMAT: flowed   
   Chinese hackers are targeting web hosting firms - here's what we know   
      
   Date:   
   Tue, 19 Aug 2025 13:34:00 +0000   
      
   Description:   
   A web hosting company in Taiwan was recently targeted by what appears to be a   
   Chinese state-sponsored actor.   
      
   FULL STORY   
      
   Chinese hacking groups are now targeting web hosting companies in Taiwan,   
   researchers are saying.    
      
   Security experts from Cisco Talos said they spotted a never-before-seen group   
   that focuses on establishing long-term persistence in web infrastructure   
   entities in Taiwan.    
      
   They are tracking the miscreants under the moniker UAT-7237, and believe it    
   to be a subgroup of UAT-5918, meaning it is still a distinct entity, and most   
   likely a state-sponsored one, at that. While Talos does not explicitly say    
   it, it does say that the tools the threat actors are using are quite similar   
   to different typhoon hackers which are known to be state-sponsored.   
      
   Living off the land   
      
   Most of the tools are open source and somewhat customized, with a custom   
   Shellcode loader known as SoundBill particularly standing out.    
      
   The group uses Cobalt Strike beacons, is quite picky with its web shells, and   
   relies on a combination of direct remote desktop protocol (RDP) access and   
   SoftEther VPN clients.    
      
   Talos recently observed the group breaching a Taiwanese hosting provider ,    
   and being particularly interested in gaining access to the victim   
   organizations VPN and cloud infrastructure.    
      
   UAT-7237 used open-source and customized tooling to perform several malicious   
   operations in the enterprise, including reconnaissance, credential    
   extraction, deploying bespoke malware , setting up backdoored access via VPN   
   clients, network scanning and proliferation, the researchers explained.    
      
   For initial access, UAT-7237 exploited known vulnerabilities on unpatched   
   servers exposed to the internet. This technique is also common for other   
   state-sponsored groups, such as Volt Typhoon and Flax Typhoon, who usually   
   exploit unpatched VPN appliances, firewalls, and email servers. In some    
   cases, they abuse valid credentials for VPN, RDP, and cloud accounts.    
      
   While they occasionally drop lightweight web shells or custom loaders, their   
   preference is to blend into normal network activity and establish persistence   
   through compromised infrastructure rather than phishing or malware.    
      
    Via Infosecurity Magazine   
      
   ======================================================================   
   Link to news story:   
   https://www.techradar.com/pro/security/chinese-hackers-are-targeting-web-hosti   
   ng-firms-heres-what-we-know   
      
   $$   
   --- SBBSecho 3.28-Linux   
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)   
   SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700   
   SEEN-BY: 226/30 227/114 229/110 111 114 206 300 307 317 400 426 428   
   SEEN-BY: 229/470 664 700 705 266/512 291/111 320/219 322/757 342/200   
   SEEN-BY: 396/45 460/58 712/848 902/26 2320/0 105 304 3634/12 5075/35   
   PATH: 2320/105 229/426