TZUTC: -0500
MSGID: 1384.consprcy@1:2320/105 2d09cc1c
PID: Synchronet 3.21a-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0
TID: SBBSecho 3.28-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0
BBSID: CAPCITY2
CHRS: ASCII 1
FORMAT: flowed
Chinese hackers are targeting web hosting firms - here's what we know

Date:
Tue, 19 Aug 2025 13:34:00 +0000

Description:
A web hosting company in Taiwan was recently targeted by what appears to be a
Chinese state-sponsored actor.

FULL STORY

Chinese hacking groups are now targeting web hosting companies in Taiwan,
researchers are saying. 

Security experts from Cisco Talos said they spotted a never-before-seen group
that focuses on establishing long-term persistence in web infrastructure
entities in Taiwan. 

They are tracking the miscreants under the moniker UAT-7237, and believe it 
to be a subgroup of UAT-5918, meaning it is still a distinct entity, and most
likely a state-sponsored one, at that. While Talos does not explicitly say 
it, it does say that the tools the threat actors are using are quite similar
to different typhoon hackers which are known to be state-sponsored.

Living off the land

Most of the tools are open source and somewhat customized, with a custom
Shellcode loader known as SoundBill particularly standing out. 

The group uses Cobalt Strike beacons, is quite picky with its web shells, and
relies on a combination of direct remote desktop protocol (RDP) access and
SoftEther VPN clients. 

Talos recently observed the group breaching a Taiwanese hosting provider , 
and being particularly interested in gaining access to the victim
organizations VPN and cloud infrastructure. 

UAT-7237 used open-source and customized tooling to perform several malicious
operations in the enterprise, including reconnaissance, credential 
extraction, deploying bespoke malware , setting up backdoored access via VPN
clients, network scanning and proliferation, the researchers explained. 

For initial access, UAT-7237 exploited known vulnerabilities on unpatched
servers exposed to the internet. This technique is also common for other
state-sponsored groups, such as Volt Typhoon and Flax Typhoon, who usually
exploit unpatched VPN appliances, firewalls, and email servers. In some 
cases, they abuse valid credentials for VPN, RDP, and cloud accounts. 

While they occasionally drop lightweight web shells or custom loaders, their
preference is to blend into normal network activity and establish persistence
through compromised infrastructure rather than phishing or malware. 

 Via Infosecurity Magazine

======================================================================
Link to news story:
https://www.techradar.com/pro/security/chinese-hackers-are-targeting-web-hosti
ng-firms-heres-what-we-know

$$
--- SBBSecho 3.28-Linux
 * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)
SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700
SEEN-BY: 226/30 227/114 229/110 111 114 206 300 307 317 400 426 428
SEEN-BY: 229/470 664 700 705 266/512 291/111 320/219 322/757 342/200
SEEN-BY: 396/45 460/58 712/848 902/26 2320/0 105 304 3634/12 5075/35
PATH: 2320/105 229/426