Chinese state-aligned hackers exploited a Sitecore zero-day vulnerability to target US critical infrastructure, deploying open-source tools for reconnaissance and credential theft while posing supply chain risks.
Security researchers at Cisco Talos have uncovered an active campaign where Chinese state-aligned hackers exploited a critical zero-day vulnerability in Sitecore CMS to breach American critical infrastructure organizations. Designated as UAT-8837, this advanced persistent threat (APT) group shows tactical overlaps with other China-nexus operations and demonstrates sophisticated post-compromise tradecraft.
The Zero-Day Exploit and Initial Access
The attackers leveraged CVE-2025-53690 (CVSS 9.0), a critical flaw in Sitecore's platform, to gain initial access. According to Talos researchers Asheer Malhotra, Vitor Ventura, and Brandon White, this exploitation shares infrastructure and tooling patterns with a September 2025 campaign documented by Mandiant. The repeated use of unpatched vulnerabilities indicates UAT-8837 likely maintains access to zero-day exploits for opportunistic targeting.
Post-Compromise Tradecraft
Once inside networks, UAT-8837 follows a methodical sequence:
- Reconnaissance: Mapping network architecture and security configurations
- Security Degradation: Disabling RestrictedAdmin for Remote Desktop Protocol (RDP) to bypass credential protections
- Tool Deployment: Using cmd.exe for hands-on activity before loading specialized utilities
The group extensively leverages open-source offensive tools, including:
- GoTokenTheft: Steals authentication tokens
- EarthWorm: Establishes SOCKS tunnels for command routing
- SharpHound/AD tools: Harvests Active Directory schemas and relationships
- Certipy: Exploits AD certificate services
- DWAgent: Maintains persistent remote access
Supply Chain Risks Emerge
Researchers observed UAT-8837 exfiltrating proprietary DLL libraries from victim organizations. Malhotra warns this suggests preparation for future supply chain attacks: "These libraries could be trojanized for downstream distribution or reverse-engineered to discover new vulnerabilities in critical products."
Broader Threat Context
This campaign follows Talos' recent exposure of Chinese group UAT-7290 targeting telecoms in South Asia. Western agencies including CISA, NCSC, and BSI have jointly warned about rising state-sponsored threats against operational technology (OT), emphasizing that "exposed OT connectivity is targeted by both opportunistic and highly capable actors."
Mitigation Strategies
Critical infrastructure operators should implement these defensive measures:
- Patch Immediately: Apply Sitecore's security update for CVE-2025-53690
- Harden RDP: Enforce RestrictedAdmin mode and network-level authentication
- Monitor AD Activity: Audit SharpHound/Certipy usage and Kerberos ticket requests
- Segment Networks: Isolate OT systems using the ISA/IEC 62443 framework
- Validate DLL Integrity: Implement code-signing verification for proprietary libraries
- Block Suspicious Tools: Detect and prevent execution of EarthWorm, Rubeus, and GoExec binaries
Talos recommends assuming breach scenarios: "Treat credential harvesting as inevitable and implement secondary authentication controls for critical systems." Regular audits of AD object permissions and certificate templates can also limit lateral movement opportunities for persistent threats like UAT-8837.
Comments
Please log in or register to join the discussion