Cybersecurity

Cyber: China-linked APT Exploited Sitecore Zero-day In Critical...

2026-01-16 0 views admin
Cyber: China-linked APT Exploited Sitecore Zero-day In Critical...

A threat actor likely aligned with China has been observed targeting critical infrastructure sectors in North America since at least last year.

Cisco Talos, which is tracking the activity under the name UAT-8837, assessed it to be a China-nexus advanced persistent threat (APT) actor with medium confidence based on tactical overlaps with other campaigns mounted by threat actors from the region.

The cybersecurity company noted that the threat actor is "primarily tasked with obtaining initial access to high-value organizations," based on the tactics, techniques, and procedures (TTPs) and post-compromise activity observed.

"After obtaining initial access — either by successful exploitation of vulnerable servers or by using compromised credentials — UAT-8837 predominantly deploys open-source tools to harvest sensitive information such as credentials, security configurations, and domain and Active Directory (AD) information to create multiple channels of access to their victims," it added.

UAT-8837 is said to have most recently exploited a critical zero-day vulnerability in Sitecore (CVE-2025-53690, CVSS score: 9.0) to obtain initial access, with the intrusion sharing TTP, tooling, and infrastructure similarities with a campaign detailed by Google-owned Mandiant in September 2025. SiteCore released fixes for the flaw early that month.

While it's not clear if these two clusters are the work of the same actor, it suggests that UAT-8837 may have access to zero-day exploits to conduct cyber attacks.

Once the adversary obtains a foothold in target networks, it conducts preliminary reconnaissance, followed by disabling RestrictedAdmin for Remote Desktop Protocol (RDP), a security feature that ensures credentials and other user resources aren't exposed to compromised remote hosts.

UAT-8837 is also said to open "cmd.exe" to conduct hands-on keyboard activity on the infected host and download several artifacts to enable post-exploitation. Some of the notable tools include -

"UAT-8837 may run a series of commands during the intrusion to obtain sensitive information, such as credentials from victim organizations," researchers Asheer Malhotra, Vitor Ventura, and Brandon White said.

"In one victim organization, UAT-8837 exfiltrated DLL-based shared libraries related to the victim's products, raising the possibility that these libraries may be trojanized in the future. This creates opportunities for supply chain compromises and reverse engineering to find vulnerabili

Source: The Hacker News

🏷️ Tags

cybersecuritysecurityvulnerabilitycveattack

More from Cybersecurity

Cyber: Verizon Starts Issuing $20 Credits After Nationwide Outage 2026

Cyber: Verizon Starts Issuing $20 Credits After Nationwide Outage 2026

2026-01-16 0
Cyber: Cisos Rise To Prominence: Security Leaders Join The Executive Suite

Cyber: Cisos Rise To Prominence: Security Leaders Join The Executive Suite

2026-01-16 0
Cyber: Five Malicious Chrome Extensions Impersonate Workday And Netsuite...

Cyber: Five Malicious Chrome Extensions Impersonate Workday And Netsuite...

2026-01-16 0
Cyber: Ai System Reduces Attack Reconstruction Time From Weeks To Hours

Cyber: Ai System Reduces Attack Reconstruction Time From Weeks To Hours

2026-01-16 0

Trending

1

Tech: Go-legacy-winxp: Compile Golang 1.24 code for Windows XP

2026-01-15 • 4457 views
2

Tech: Data is the only moat

2026-01-15 • 4133 views
3

Tech: Pocket TTS: A high quality TTS that gives your CPU a voice

2026-01-15 • 3239 views
4

Tech: AWS European Sovereign Cloud

2026-01-15 • 2741 views
5

Tech: JuiceFS is a distributed POSIX file system built on top of Redis and S3

2026-01-15 • 2719 views