CP
cyberpings
Threat IntelHIGH

Credential Harvesting - Inside UAT-10608's Operations

Featured image for Credential Harvesting - Inside UAT-10608's Operations
TACisco Talos Intelligence
UAT-10608NEXUS ListenerCVE-2025-55182credential harvestingNext.js
🎯

Basically, a group is stealing passwords from web apps using automated tools.

Quick Summary

Cisco Talos reveals a major credential harvesting operation by UAT-10608, compromising 766 hosts. The attackers exploit vulnerabilities in Next.js applications to steal sensitive data. Organizations must act quickly to secure their systems and mitigate risks.

What Happened

Cisco Talos has uncovered a large-scale automated credential harvesting campaign attributed to a threat cluster known as UAT-10608. This operation primarily targets Next.js applications that are vulnerable to a specific flaw known as React2Shell (CVE-2025-55182). By exploiting these vulnerabilities, the attackers have compromised at least 766 hosts across various regions and cloud providers.

How It Works

The UAT-10608 campaign utilizes a framework called NEXUS Listener. This framework automates the extraction and exfiltration of credentials, SSH keys, cloud tokens, and environment secrets. The attackers deploy scripts that run automatically, collecting sensitive information without further manual intervention. The data is then sent to a command and control (C2) server, where it is organized and made accessible through a web-based interface.

Who's Being Targeted

The operation has indiscriminately targeted public-facing web applications, particularly those built with Next.js. The attackers use automated scanning tools to identify vulnerable applications, leveraging data from services like Shodan and Censys. The broad scope of this campaign means that many organizations could potentially be affected, especially those using vulnerable configurations.

Signs of Infection

Organizations may notice unusual activity on their web applications, such as unexpected access to sensitive data or spikes in traffic. Additionally, if any credentials or SSH keys are compromised, there may be signs of unauthorized access or account takeovers.

What Data Was Exposed

The data harvested from compromised systems includes:

  • SSH private keys from 78% of hosts
  • AWS credentials from 25.6% of hosts
  • Live Stripe API keys and other sensitive tokens
  • Database connection strings with cleartext passwords This extensive data exposure poses significant risks, including potential fraud and unauthorized access to cloud resources.

Implications for Organizations

The implications of this operation are severe. Every credential collected should be considered compromised, leading to potential account takeovers and fraudulent activities. Organizations must act swiftly to secure their systems and monitor for any signs of exploitation.

Recommended Actions

To mitigate risks, organizations should:

  • Patch vulnerable applications immediately, especially those using Next.js.
  • Rotate all exposed credentials and implement multi-factor authentication (MFA).
  • Monitor logs for any suspicious activity and conduct thorough security audits.
  • Engage with security partners to address any compromised credentials and improve overall security posture.

🔒 Pro insight: The scale of UAT-10608's operation underscores the urgency for organizations to patch vulnerabilities like CVE-2025-55182 immediately.

Original article from

TACisco Talos Intelligence· Asheer Malhotra
Read Full Article

Share

Related Pings

HIGHThreat Intel

Talos 2025 Year in Review - Insights for Cyber Defenders

The Talos 2025 Year in Review highlights the rise of identity attacks and AI threats. Organizations must prioritize patching and visibility to protect against evolving cyber risks. This report is essential for understanding the current threat landscape.

Cisco Talos Intelligence·
HIGHThreat Intel

TA416 Expands Espionage Operations Across Europe

TA416 has launched a new wave of espionage emails targeting government and diplomatic staff in Europe. This sophisticated campaign uses web bugs for reconnaissance before malware delivery. Understanding this threat is crucial for security measures.

Cyber Security News·
HIGHThreat Intel

CNI Firms Face Up to £5m in Downtime from OT Attacks

A new report reveals that 80% of critical infrastructure firms could face up to £5 million in downtime from cyber-attacks. This poses a significant risk to essential services. Organizations must enhance their cybersecurity measures to mitigate these threats.

Infosecurity Magazine·
HIGHThreat Intel

Supply Chain Attack - Axios npm Package Compromised

A major supply chain attack targeted the Axios npm package, affecting millions of applications. Malicious versions were published, risking user data and system integrity. Organizations must act quickly to mitigate the impact and secure their environments.

Arctic Wolf Blog·
HIGHThreat Intel

STARDUST CHOLLIMA - Compromises Axios npm Package

A serious security breach has compromised the Axios npm package, affecting countless developers. This incident highlights the vulnerabilities in software supply chains, especially for cryptocurrency users. Action is needed to safeguard against these sophisticated attacks.

CrowdStrike Blog·
HIGHThreat Intel

Axios Supply Chain Attack - How It Was Detected

A major supply chain attack on Axios was detected using a proof of concept tool. This incident highlights vulnerabilities in package management systems and the need for better security measures. Swift action was taken to mitigate the damage and protect users.

Elastic Security Labs·