What’s new: A Chinese-speaking advanced persistent threat (APT) group, identified as UAT-7237, has breached web servers in Taiwan using customized open-source hacking tools. This group has been active since at least 2022 and is linked to previous attacks on critical infrastructure in Taiwan. The attacks involve exploiting unpatched servers, deploying a bespoke shellcode loader named SoundBill, and utilizing tools like Cobalt Strike for persistent access.
Who’s affected
Web infrastructure entities in Taiwan are the primary targets of UAT-7237. The group exploits known vulnerabilities in unpatched servers to gain access and establish long-term footholds within compromised environments.
What to do
- Ensure all web servers are updated and patched against known vulnerabilities.
- Monitor for unusual activity, especially related to RDP access and VPN configurations.
- Implement network segmentation to limit lateral movement within the infrastructure.
- Utilize intrusion detection systems to identify and block malicious tools like Cobalt Strike and SoundBill.
