CP
cyberpings
Threat IntelHIGH

Credential Harvesting - Inside UAT-10608's Operations

Featured image for Credential Harvesting - Inside UAT-10608's Operations
TACisco Talos Intelligence·Reporting by Asheer Malhotra
Summary by CyberPings Editorial·AI-assisted·Reviewed by Rohit Rana
Ingested:
🎯

Basically, a group is stealing passwords from web apps using automated tools.

Quick Summary

Cisco Talos reveals a major credential harvesting operation by UAT-10608, compromising 766 hosts. The attackers exploit vulnerabilities in Next.js applications to steal sensitive data. Organizations must act quickly to secure their systems and mitigate risks.

What Happened

Cisco Talos has uncovered a large-scale automated credential harvesting campaign attributed to a threat cluster known as UAT-10608. This operation primarily targets Next.js applications that are vulnerable to a specific flaw known as React2Shell (CVE-2025-55182). By exploiting these vulnerabilities, the attackers have compromised at least 766 hosts across various regions and cloud providers.

How It Works

The UAT-10608 campaign utilizes a framework called NEXUS Listener. This framework automates the extraction and exfiltration of credentials, SSH keys, cloud tokens, and environment secrets. The attackers deploy scripts that run automatically, collecting sensitive information without further manual intervention. The data is then sent to a command and control (C2) server, where it is organized and made accessible through a web-based interface.

Who's Being Targeted

The operation has indiscriminately targeted public-facing web applications, particularly those built with Next.js. The attackers use automated scanning tools to identify vulnerable applications, leveraging data from services like Shodan and Censys. The broad scope of this campaign means that many organizations could potentially be affected, especially those using vulnerable configurations.

Signs of Infection

Organizations may notice unusual activity on their web applications, such as unexpected access to sensitive data or spikes in traffic. Additionally, if any credentials or SSH keys are compromised, there may be signs of unauthorized access or account takeovers.

What Data Was Exposed

The data harvested from compromised systems includes:

  • SSH private keys from 78% of hosts
  • AWS credentials from 25.6% of hosts
  • Live Stripe API keys and other sensitive tokens
  • Database connection strings with cleartext passwords This extensive data exposure poses significant risks, including potential fraud and unauthorized access to cloud resources.

Implications for Organizations

The implications of this operation are severe. Every credential collected should be considered compromised, leading to potential account takeovers and fraudulent activities. Organizations must act swiftly to secure their systems and monitor for any signs of exploitation.

Recommended Actions

To mitigate risks, organizations should:

  • Patch vulnerable applications immediately, especially those using Next.js.
  • Rotate all exposed credentials and implement multi-factor authentication (MFA).
  • Monitor logs for any suspicious activity and conduct thorough security audits.
  • Engage with security partners to address any compromised credentials and improve overall security posture.

🔒 Pro insight: The scale of UAT-10608's operation underscores the urgency for organizations to patch vulnerabilities like CVE-2025-55182 immediately.

Original article from

TACisco Talos Intelligence· Asheer Malhotra
Read Full Article

Share

Related Pings

MEDIUMThreat Intel

Researchers Roast Cybercriminals to Diminish Their Glamour

Researchers are roasting cybercriminals to diminish their glamor. This humorous approach aims to expose their failures and fracture trust within criminal networks. It's a fresh take on cybersecurity, focusing on education and awareness.

The Register Security·
HIGHThreat Intel

Node.js Maintainers Targeted - Sophisticated Social Engineering Scheme

A coordinated social engineering scheme is targeting Node.js developers, risking the integrity of widely used software packages. This alarming trend highlights the need for vigilance in the open-source community.

Cyber Security News·
HIGHThreat Intel

Transparent Tribe Targets India's Startup Ecosystem - New Threat

Acronis reveals that Transparent Tribe is now targeting India's startup sector, especially cybersecurity firms. This shift raises concerns about espionage and data security risks. Startups must bolster their defenses against these sophisticated attacks.

CyberWire Daily·
HIGHThreat Intel

Gaming Industry - High-Stakes Cybersecurity Threats Explained

Cybercriminals are increasingly targeting the gaming industry, driven by financial transactions and sensitive data. As casinos go digital, understanding these threats is vital for operators to safeguard their assets.

Cyber Security News·
HIGHThreat Intel

China-Linked TA416 Targets European Governments with Phishing

TA416, a China-aligned threat actor, is targeting European governments with sophisticated phishing campaigns using PlugX malware. This poses significant risks to diplomatic security. Stay informed to safeguard your organization.

The Hacker News·
HIGHThreat Intel

Spear-Phishing Campaign Neutralizes MFA for Executives

A new spear-phishing campaign is targeting senior executives, neutralizing MFA protections. This poses serious risks to corporate security. Organizations must enhance their defenses against such sophisticated threats.

SC Media·