Cisco Talos Reports China-Nexus UAT-8837 Breaching North American Critical Infrastructure
Cisco Talos reported multiple intrusions against high-value North American critical infrastructure organizations attributed to UAT-8837, assessed with medium confidence as a China-nexus APT focused on obtaining initial access. Talos said the actor gained entry via compromised credentials and exploitation of vulnerable servers, then conducted hands-on-keyboard activity to harvest credentials and environment data (including security configurations and Active Directory information) to establish redundant access paths. Observed post-compromise tooling included Earthworm (used to create reverse tunnels and expose internal endpoints), SharpHound, DWAgent, and Certipy, alongside common discovery commands (e.g., tasklist /svc, netstat -aon -p TCP, whoami).
Talos linked UAT-8837 activity to exploitation of CVE-2025-53690, described as a ViewState deserialization zero-day affecting Sitecore products, noting that the overlap in tooling/infrastructure with other observed exploitation suggests the actor may have access to zero-day exploits. Reporting also highlighted that the vulnerability had previously been emphasized by U.S. federal cybersecurity authorities with a mandated patch timeline for federal civilian agencies, and that prior third-party analysis of incidents involving the same bug described similar post-exploitation tooling—reinforcing the assessment that this vulnerability has been operationalized in real intrusions against critical infrastructure targets.
Related Entities
Vulnerabilities
Threat Actors
Organizations
Sources
Related Stories
Active Exploitation of Critical Infrastructure Management RCE Flaws
Multiple maximum-severity vulnerabilities in enterprise infrastructure management products are being **actively exploited**, enabling unauthenticated remote code execution as `root` and creating high-impact initial access paths into data center and security operations environments. Reported exploitation includes mass, automated scanning and rapid weaponization following public disclosure and PoC availability, increasing the likelihood of opportunistic compromise, follow-on payload delivery, and lateral movement in affected networks. Fortinet *FortiSIEM* is reported as under active attack via **CVE-2024-23108**, an unauthenticated command-injection issue in the `phMonitor` component (noted as listening on TCP `8014`) that can yield full system compromise. Separately, Cisco *Secure Email Gateway* / *Secure Email and Web Manager* is reported as exploited via **CVE-2024-20353** (CVSS 10.0), with activity attributed to China-linked **UAT-9686** leveraging the Spam Quarantine interface to gain root execution and deploy custom malware for persistence and evasion. In parallel, Check Point-linked reporting describes **RondoDox** botnet-driven exploitation of HPE *OneView* **CVE-2025-37164** at scale (tens of thousands of attempts observed), consistent with an “exploit-shotgun” approach used to build botnets for DDoS, cryptomining, and secondary payload delivery; the surge coincided with the flaw’s addition to CISA’s known-exploited list.
1 months ago
China-Nexus UAT-9244 Targets South American Telecoms with TernDoor, PeerTime, and BruteEntry
Cisco Talos reported that **UAT-9244**, assessed with high confidence as a **China-nexus APT** closely associated with **FamousSparrow**, has targeted **critical telecommunications providers in South America** since 2024. The activity spans **Windows and Linux endpoints** as well as **network edge devices**, and introduces three previously undocumented implants: **TernDoor** (Windows), **PeerTime** (Linux/ELF), and **BruteEntry** (edge-device brute-force/scanning tooling). Public reporting noted tactical overlap between FamousSparrow and **Salt Typhoon**-linked telecom targeting, but stated there is **no conclusive evidence** directly tying UAT-9244 to Salt Typhoon. Talos detailed that **TernDoor** is a variant of **CrowDoor** (itself related to **SparrowDoor**) and is deployed via **DLL side-loading** using the legitimate `wsprint.exe` to load a malicious loader DLL `BugSplatRc64.dll`, which reads `WSPrint.dll`, decrypts it, and executes the final payload **in memory**. **PeerTime** is an ELF backdoor that leverages the **BitTorrent protocol** for malicious operations on infected Linux systems. **BruteEntry** is typically installed on edge devices to convert them into **Operational Relay Boxes (ORBs)** used for mass scanning and brute forcing services including **SSH**, **Postgres**, and **Tomcat**; additional reporting also noted prior UAT-9244 targeting of **outdated Windows Server and Microsoft Exchange** to deploy web shells as a foothold for follow-on activity.
1 weeks ago
Active Exploitation of Cisco Catalyst SD-WAN Manager Vulnerabilities by UAT-8616
**CISA** ordered U.S. federal civilian agencies to urgently remediate a **critical Cisco Catalyst SD-WAN Manager compromise** tied to **CVE-2026-20127**, a `CVSS 10.0` authentication bypass flaw that allows attackers to obtain high-privilege access without valid credentials. Reporting indicates the activity was uncovered by **CISA** and **Cisco Talos**, which attributed exploitation to **UAT-8616** and assessed that the intrusions date back to 2023. Attackers reportedly maintained persistence by downgrading devices to older vulnerable software and then using the access to reach `NETCONF` and manipulate SD-WAN fabric configuration, creating significant risk for federal networks and other exposed deployments. Additional research shows the campaign is not limited to a single bug. Cisco disclosed in-the-wild exploitation of **CVE-2026-20127** together with **CVE-2022-20775**, an older SD-WAN CLI flaw enabling post-auth privilege escalation and root command execution, while external analysis warned that public proof-of-concept material around `CVE-2026-20127` has been misattributed and may produce incomplete detections. Researchers also highlighted broader exposure across internet-facing SD-WAN Manager instances and warned that **CVE-2026-20133** may present underappreciated risk and could already be seeing exploitation, underscoring that defenders should treat the Cisco SD-WAN issue as an active intrusion and hardening priority rather than a routine patch cycle.
4 days ago