OpenSource Hacking Tools, Budget Constraints Drive AI Use, and New CISA OT Guidelines

 

Taiwan Web Servers Breached by Chinese-Speaking APT Group UAT-7237 

A Chinese-speaking advanced persistent threat (APT) group, UAT-7237, has been targeting web infrastructure in Taiwan using customized open-source hacking tools. This group is believed to be a sub-group of UAT-5918, which has been active against Taiwan's critical infrastructure since at least 2023. 

UAT-7237 employs a bespoke shellcode loader called SoundBill, which launches secondary payloads like Cobalt Strike. SoundBill is based on an earlier shellcode loader called VTHello. It decodes a file named ptiti.txt on disk and that content is then executed as shellcode. That shellcode can be anything from a Cobalt Strike beacon, a Mimikatz payload, or arbitrary command execution. Cobalt Strike is a commercial pen-testing tool designed for red team operations and adversary simulations. Unfortunately, it is also widely abused by threat actors for post-exploitation activities in cyber attacks.

UAT-7237's attack methods include exploiting known vulnerabilities in upatched internet-facing  servers. They then use SoftEther VPN and RDP for persistent access and deploy tools like JuicyPotato for privilege escalation or Mimikatz for credential theft. They will then disable UAC through the Windows Registry and enable cleartext password storage. The VPN client is configured to use Simplified Chinese. 

There is a new related threat where a separate China-aligned group, Gelsemium, has been linked to a new variant of the FireWood backdoor. This version uses a kernel rootkit to hide processes and execute commands.  

https://thehackernews.com/2025/08/taiwan-web-servers-breached-by-uat-7237.html  

 

Hackers Found Using CrossC2 to Expand Cobalt Strike Beacon's Reach to Linux and macOS 

Japan's CERT Coordination Center (JPCERT/CC) has reported a cyberattack campaign that utilized CrossC2, a command-and-control framework designed to extend Cobalt Strike Beacon functionality to Linux and macOS systems. The activity, observed between September and December 2024, targeted multiple countries, including Japan. 

Cobalt Strike's Beacon is the main payload used for command-and-control and supports remote command execution, file transfers, privilege escalation, and lateral movement. It also has post-exploitation tools that perform keylogging, screenshot capture, and credential harvesting.  

CrossC2 is an extension framework that allows Cobalt Strike's Beacon to run on non-Windows platforms, specifically Linux and macOS. It uses custom loaders to deploy Beacons on Linux/MacOS while maintaining compatibility with Cobalt Strike for seamless control.

Key Findings: 

  • CrossC2 was used alongside tools like PsExecPlink, and Cobalt Strike to penetrate Active Directory environments. 
  • Attackers deployed a custom loader named ReadNimeLoader, written in Nim, which sideloads malicious DLLs using legitimate binaries like java.exe. 
  • The loader executes shellcode in memory using OdinLdr, avoiding disk traces and incorporating anti-debugging techniques. 
  • The campaign shows overlap with BlackSuit/Black Basta ransomware activity, including shared C2 domains and file naming conventions. 
  • Several ELF versions of SystemBC, a known backdoor, were also found, indicating a potential ransomware deployment. 
  • JPCERT/CC emphasized the vulnerability of Linux servers, which often lack endpoint detection and response (EDR) systems. 

The report highlights the growing sophistication of cross-platform cyber threats and the need for enhanced security measures, especially for Linux environments.

https://thehackernews.com/2025/08/researchers-warn-crossc2-expands-cobalt.html  

 

Tight Cybersecurity Budgets Accelerate the Shift to AI-Driven Defense 

Due to economic and political pressures, cybersecurity budgets are tightening. This forces organizations to rely more heavily on AI-powered automation to maintain defenses and fill staffing gaps. Reports from IANS and Swimlane highlight: 

  • Budget Growth Slowdown: Cybersecurity budgets are still increasing, but at a much slower rate—down from 17% in 2022 to just 4% in 2025. 
  • Economic Factors: Global market volatility, inflation, and geopolitical tensions are making business planning unpredictable. 
  • Federal Policy Impact: Swimlane points to reduced funding for CISA and the disbanding of the Cyber Safety Review Board as key contributors to budget constraints. 
  • Operational Strain: Security teams face staff shortages, delayed initiatives, and increased risk exposure. 
  • AI Adoption: Organizations are turning to AI tools for tasks like alert triage and threat detection to compensate for limited human resources. 
  • Global Ripple Effects: UK firms are reassessing relationships with US cybersecurity vendors, with many shifting toward EU-based providers due to concerns over US policy. 

The article underscores the growing reliance on agentic AI in cybersecurity. Security teams are being forced to do more with less, and rely more on their own cybersecurity teams and less on national cybersecurity. This will lead to a larger reliance on Agentic AI, which could add to a company's threat surface and decrease their need for human cybersecurity expertise.  

Here is a list of areas where AI is playing a role in cybersecurity:

1. Threat Detection and Prevention

AI systems analyze vast amounts of data to identify patterns and anomalies that may indicate cyber threats. This includes:

  • Malware detection
  • Phishing attempts
  • Intrusion detection
  • Zero-day vulnerabilities

Machine learning models can learn from historical attack data to predict and prevent future threats. 

2. Automated Incident Response

AI can automate responses to common security incidents, such as:

  • Isolating infected devices
  • Blocking malicious IP addresses
  • Alerting security teams with prioritized threat levels   

This reduces response time and minimizes damage. 

3. Security Operations Center (SOC) Efficiency

AI helps SOC teams by:

  • Triage of alerts: Filtering out false positives and highlighting critical threats
  • Log analysis: Parsing logs from multiple sources to find correlations
  • Workload reduction: Allowing human analysts to focus on complex tasks

4. Behavioral Analytics

AI monitors user and device behavior to detect unusual activity, such as:

  • Unauthorized access attempts
  • Data exfiltration
  • Privilege escalation

This is especially useful for identifying insider threats. 

5. Threat Intelligence

AI aggregates and analyzes threat intelligence from multiple sources. This helps organizations stay ahead of emerging threats and adapt defenses accordingly. 

6. Vulnerability Management

AI can scan systems for vulnerabilities, prioritize them based on risk, and even suggest or automate patching strategies. 

7. Adaptive Defense

AI enables dynamic security measures that adjust based on real-time threat levels, such as:

  • Changing firewall rules
  • Modifying access controls
  • Deploying honeypots 

These are all areas where AI can help, but it still requires a lot of human interaction and checking since hallucinations are a real possibility. I believe that AI should be used as a tool to assist Security Engineers in their work, not replace it. But with tightening budgets, something has to give, and unfortunately the overall security may suffer.

https://www.securityweek.com/tight-cybersecurity-budgets-accelerate-the-shift-to-ai-driven-defense/  

 

CISA Urges Stronger Cybersecurity for Operational Technology (OT) Systems 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is calling on organizations with Operational Technology (OT) environments—such as those in manufacturing, energy, and water systems—to significantly improve their cybersecurity posture. This comes amid a sharp rise in cyberattacks targeting OT, with an 87% increase in 2024 alone, according to Dragos. 

The FBI has also noticed an increase in attacks on critical infrastructure where OT systems often reside. In 2024, researchers also discovered two malware variants that were designed to target OT. It was noted that this was an incredible rarity.  

OT systems, which control physical processes, are increasingly connected to the internet, making them more vulnerable. This has led CISA, along with agencies from the U.S. and allied nations, to release new foundational guidance focused on building a taxonomy-based OT asset inventoryThis inventory helps classify and prioritize OT assets based on function and criticality, aiding in risk management and incident response. The guidance includes examples from industries like oil and gas, energy, and water. It also recommends tracking details such as hostnames, IPs, OS image baselines, and communication protocols. CISA emphasizes that securing OT is essential for national security and the continuity of critical infrastructure services. 

CISA is strongly encouraging organizations to adopt this guidance to better protect their most vital systems.  

https://www.theregister.com/2025/08/14/cisa_begs_ot_admins_to/  

https://www.cisa.gov/resources-tools/resources/foundations-ot-cybersecurity-asset-inventory-guidance-owners-and-operators  

Published Aug 19, 2025
Version 1.0
f5 sirt
security
twis
No CommentsBe the first to comment