Full Report
Chinese-speaking hackers have exploited a now-patched Trimble Cityworks zero-day to breach multiple local governing bodies across the United States. [...]
Analysis Summary
# Incident Report: Exploitation of Cityworks Zero-Day by Chinese State-Sponsored Actors
## Executive Summary
Chinese state-sponsored threat actors exploited a zero-day vulnerability (CVE-2025-0994) in Trimble's Cityworks software to breach multiple US local government entities. The attack leveraged an RCE vulnerability in Microsoft IIS servers running Cityworks, allowing the attackers to gain a foothold and deploy custom malware, including TetraLoader. The incident prompted immediate advisories from CISA, leading to mandatory patching for federal agencies.
## Incident Details
- Discovery Date: Early February 2025 (when Trimble warned of exploitation)
- Incident Date: Before early February 2025 (when exploitation began)
- Affected Organization: US Local Governments (and potentially organizations in water/wastewater, energy, transportation, communications sectors)
- Sector: Government Services, Utilities, Infrastructure
- Geography: United States
## Timeline of Events
### Initial Access
- Date/Time: Prior to early February 2025.
- Vector: Exploitation of unpatched Cityworks instances running on Microsoft IIS servers.
- Details: Attackers leveraged **CVE-2025-0994**, a high-severity deserialization vulnerability, which grants Remote Code Execution (RCE) to authenticated threat actors.
### Lateral Movement
- Details: Attackers deployed custom malware, including **TetraLoader**, which was built using the **MaLoader** malware-builder (both written in Simplified Chinese), suggesting established command and control or data staging capabilities post-initial breach.
### Data Exfiltration/Impact
- *Information not explicitly detailed regarding data stolen, but the goal of government breaches often involves intelligence gathering or disruption.*
### Detection & Response
- Date/Time: Early February 2025.
- Details: Trimble warned about active exploitation while releasing patches for CVE-2025-0994. CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on February 7, 2025, ordering federal agencies to patch within three weeks. CISA issued a sector-wide advisory on February 11, 2025.
## Attack Methodology
- Initial Access: Exploitation of **CVE-2025-0994** (Deserialization RCE) in Cityworks via Microsoft IIS servers.
- Persistence: Deployment of custom malware, including **TetraLoader**.
- Privilege Escalation: *Not explicitly detailed, but RCE on an accessible service often provides significant initial privileges.*
- Defense Evasion: Use of custom tooling (**TetraLoader** and **MaLoader** infrastructure) built in Simplified Chinese, potentially aiding evasion against localized security controls.
- Credential Access: *Not explicitly detailed.*
- Discovery: *Not explicitly detailed.*
- Lateral Movement: Use of custom malware loaders (**TetraLoader** derived from **MaLoader**) implies capability for persistent access and internal network mapping.
- Collection: *Implied by targeting government infrastructure.*
- Exfiltration: *Not explicitly detailed.*
- Impact: Potential system compromise and network intrusion targeting critical infrastructure sectors.
## Impact Assessment
- Financial: *Not specified.*
- Data Breach: *Type and volume of data unknown, but targets were US local governments.*
- Operational: Potential disruption to government services utilizing Cityworks.
- Reputational: Negative impact due to confirmed compromise following immediate warnings from vendors and CISA.
## Indicators of Compromise
- Network indicators: *Not provided in defanged format.*
- File indicators: **TetraLoader**, **MaLoader** (as the builder).
- Behavioral indicators: Successful exploitation of **CVE-2025-0994** leading to code execution on IIS servers.
## Response Actions
- Containment measures: Not detailed, but implied patch deployment for CVE-2025-0994.
- Eradication steps: Not detailed.
- Recovery actions: Not detailed.
## Lessons Learned
- Zero-day vulnerabilities in software managing critical infrastructure (like Cityworks) pose an immediate and severe risk, especially when actively exploited before patches are widely deployed.
- Vendors must swiftly notify customers (as Trimble did), and agencies must adhere strictly to emergency patching directives (like CISA BOD 22-01).
- State-sponsored actors demonstrate rapid adaptation, weaponizing software vulnerabilities shortly after release or discovery.
## Recommendations
- Immediately patch all systems against **CVE-2025-0994** across all infrastructure, prioritizing Cityworks deployments on IIS.
- Security teams handling software from infrastructure vendors must prioritize zero-day disclosures and enforce mandatory emergency patching windows.
- Enhance monitoring on Microsoft IIS servers for signs of atypical deserialization activity or initial code execution attempts.
- Review AV/EDR capabilities against custom Loader malware families originating from recognized threat actor supply chains (e.g., those utilizing toolsets written in Simplified Chinese).