UAT-8837 Critical Infrastructure Attack

By
Editor Dataproof
-
0
9

What is the Attack?

An active campaign has been linked, with medium confidence, to a threat actor designated UAT-8837, which Cisco Talos assesses as a China-nexus group targeting critical infrastructure organizations in North America. Observed activity includes targeted intrusions aimed at gaining initial access, credential harvesting, and internal reconnaissance.

UAT-8837 primarily gains initial access by exploiting public-facing application vulnerabilities, including both known n-day flaws and previously undisclosed zero-day vulnerabilities. In recent activity, the actor exploited CVE-2025-53690, a ViewState deserialization zero-day vulnerability in Sitecore products, indicating access to advanced exploitation capabilities and potential use of zero-day exploits.

Sitecore is a widely used digital experience platform (DXP) that provides content management, personalization and e-commerce capabilities for enterprises. The flaw enables preauthentication remote code execution (RCE) against internet-facing Sitecore deployments.

What is the recommended Mitigation?

• Organizations should immediately patch and remediate all exposed public-facing applications, with priority given to Sitecore deployments affected by CVE-2025-53690. Security Bulletin SC2025-005
• Defensive teams should monitor for post-exploitation activity consistent with UAT-8837 behavior.

What FortiGuard Coverage is available?

• FortiGuard Labs is actively monitoring this threat activity and will continue to provide updates as the situation evolves, including new intelligence, indicators, and protection guidance.
• FortiGuard Antivirus & Behavior Detection: Delivers protection against known malware and uses advanced behavioral analysis to detect and block unknown threats.
• Indicators of Compromise (IOCs) Service: FortiGuard Labs has blocked all known linked Indicators of Compromise (IOCs), and the team is continuously monitoring for emerging threats and new IOCs.
• FortiGuard Incident Response: Organizations suspecting a compromise can contact the FortiGuard Incident Response team for rapid investigation and remediation support.

– Read more

RELATED ARTICLESMORE FROM AUTHOR