Full Report
In this week’s Threat Source newsletter, William pitches a fun comparison between baseball legend Ichiro Suzuki and the unsung heroes of information security, highlights newly released UAT-5918 research, and shares an exciting new Talos video.
Analysis Summary
# Main Topic
Cisco Talos research highlighting activity from threat group UAT-5918, which has been actively targeting critical infrastructure entities in Taiwan, demonstrating tactics highly overlapping with established groups like Volt Typhoon, Flax Typhoon, Earth Estries, and Dalbit intrusions.
## Key Points
- The group leverages an extensive array of open-source and living-off-the-land binaries (LoL bins) for post-compromise activities, network reconnaissance, and lateral movement.
- A major goal of the intrusions is harvesting credentials for gaining local and domain-level access, facilitating the creation of new administrative user accounts.
- The report encourages defenders to use the associated Indicators of Compromise (IoCs) to verify visibility across their networks and search for evidence of intrusion beyond just traditional security endpoints.
## Threat Actors
- **UAT-5918**: Primary threat group identified targeting critical infrastructure.
- **Associated Activity**: Victimology and TTPs show significant overlap with known threat actors: Volt Typhoon, Flax Typhoon, Earth Estries, and Dalbit.
## TTPs
- **Credential Harvesting**: Dumping registry hives (NTDS/SAM) and utilizing tools like Mimikatz and browser credential extractors.
- **Lateral Movement**: Execution primarily via RDP, WMIC (PowerShell remoting), and Impacket.
- **Tooling Used**: FRPC, FScan, In-Swor, Earthworm, and Neo-reGeorg for reconnaissance and network traversal.
- **Persistence**: Creating new administrative user accounts to maintain channels of access, particularly RDP access to high-significance endpoints.
## Affected Systems
- Critical infrastructure entities located in Taiwan.
- Endpoints that support Remote Desktop Protocol (RDP) services targeted for persistence setup.
## Mitigations
- Search the environment using the IoCs detailed in the associated Talos blog post ([hxxps://blog[.]talosintelligence[.]com/uat-5918-targets-critical-infra-in-taiwan](hxxps://blog[.]talosintelligence[.]com/uat-5918-targets-critical-infra-in-taiwan)).
- Prioritize visibility checks on non-security devices to trace potential attack paths using LoL bins.
- Monitor for the creation of unusual, new administrative user accounts.
- Audit RDP session initiations for connections to critical assets.
## Conclusion
UAT-5918 represents a sophisticated threat actor, likely state-sponsored given the overlap with established groups, posing a significant risk to critical infrastructure by focusing heavily on credential theft and establishing resilient lateral movement backdoors. Defenders must focus on comprehensive host visibility and searching across all data sources for the known attacker toolset.