The article discusses a Chinese threat actor, tracked as UAT-6382, who exploited a critical vulnerability (CVE-2025-0944) in Trimble Cityworks to deploy malware like Cobalt Strike and VShell. The vulnerability, linked to remote code execution, was targeted primarily at local government networks in the U.S. Cisco Talos reports the threat group conducted reconnaissance and used various web shells to maintain access. This incident highlights significant security challenges in GIS-centric asset management software and the ongoing concerns regarding cyber threats against critical infrastructure.
"UAT-6382 successfully exploited CVE-2025-0944, conducted reconnaissance, and rapidly deployed a variety of web shells and custom-made malware to maintain long-term access."
"Upon gaining access, UAT-6382 expressed a clear interest in pivoting to systems related to utility management."
"CVE-2025-0944 (CVSS score: 8.6) refers to the deserialization of untrusted data vulnerability affecting the GIS-centric asset management software that could enable remote code execution."
"Cisco Talos, which is tracking the Rust-based loader as TetraLoader, said it's built using MaLoader, a publicly available malware-building framework written in Simplified Chinese."
Collection
[
|
...
]