Full Report
Hazel observes that cybercriminals often fumble teamwork, with fragile alliances crumbling over missed messages. Plus, how UAT-6382 is exploiting Cityworks and what you can do to stay secure.
Analysis Summary
This article documents the evolving trend of compartmentalized cyberattacks and highlights a specific active exploitation campaign against Cityworks infrastructure by Chinese-speaking threat actors (UAT-6382).
# Incident Report: UAT-6382 Exploitation of Cityworks Vulnerability
## Executive Summary
Chinese-speaking threat actors, identified as UAT-6382, have actively exploited a critical remote code execution vulnerability (CVE-2025-0994) in the Cityworks asset management system. The threat actors deployed advanced malware loaders and utilized various tools, including Cobalt Strike, to establish long-term persistence and control within compromised environments. While known intrusions have been contained, the potential for ongoing exploitation remains.
## Incident Details
- **Discovery Date:** Recently disclosed via Talos research (context suggests detection occurred leading up to the report date).
- **Incident Date:** Occurring around the time of the Talos research publication regarding CVE-2025-0994 exploitation occurring in the wild.
- **Affected Organization:** Organizations utilizing Cityworks asset management systems.
- **Sector:** Unspecified, likely Government/Utilities/Infrastructure (based on Cityworks usage).
- **Geography:** Unspecified primary location of reported exploitation, exploitation occurring "in the wild."
## Timeline of Events
### Initial Access
- **Date/Time:** Not explicitly stated, but confirmed to be actively occurring prior to the report date.
- **Vector:** Remote Code Execution (RCE) vulnerability in Cityworks asset management system.
- **Details:** Exploitation of **CVE-2025-0994**.
### Lateral Movement
- **Details:** Use of sophisticated tools like web shells, Rust-based malware loaders, and frameworks like Cobalt Strike to establish persistence and burrow deep into systems.
### Data Exfiltration/Impact
- **Details:** The primary risk is data breaches and operational downtime resulting from deep system compromise.
### Detection & Response
- **Details:** Talos shared findings regarding the exploitation in a recent blog post.
- **Response Actions:** Intrusions mentioned in the blog post have been contained; organizations are urged to scan using provided IOCs.
## Attack Methodology (Based on UAT-6382 activity)
- **Initial Access:** Remote Code Execution via CVE-2025-0994 (Cityworks RCE).
- **Persistence:** Deployment of advanced malware for long-term control.
- **Privilege Escalation:** Implied capability via advanced tool usage (Cobalt Strike use suggests deep operational control).
- **Defense Evasion:** Use of sophisticated/custom tooling (e.g., Rust-based loaders).
- **Credential Access:** Not explicitly detailed, but standard for deep compromise.
- **Discovery:** Implied by the need to utilize frameworks like Cobalt Strike post-exploitation.
- **Lateral Movement:** Cobalt Strike deployment suggests capability to move within the network.
- **Collection:** Not explicitly detailed, but intended outcome is data breaches.
- **Exfiltration:** Intended outcome is data breaches.
- **Impact:** Operational downtime and data breaches.
## Impact Assessment
- **Financial:** Not quantified in the provided text.
- **Data Breach:** Potential for data breaches due to deep persistence established by the threat actor.
- **Operational:** Risk of operational downtime.
- **Reputational:** Not detailed, but risk exists for affected organizations.
## Indicators of Compromise
*(Note: Specific IOCs are referenced in an external Talos blog post and are not fully listed here as per instructions, but the report highlights the need to check them.)*
- **Network indicators:** Refer to Talos blog for specific defanged URLs/IPs.
- **File indicators:** Refer to Talos blog for specific file hashes.
- **Behavioral indicators:** Use of web shells, Rust-based malware loaders, and Cobalt Strike activity.
## Response Actions
- **Containment:** Intrusions described in the Talos blog have reportedly been contained.
- **Eradication:** Not detailed, but general action would involve cleaning affected Cityworks instances.
- **Recovery:** Not detailed, but entities must use IOCs to scan and remediate actively exploited environments.
## Lessons Learned
- **Key Takeaways:** Exploitation of core asset management systems (like Cityworks) via known RCEs remains a significant threat vector, allowing sophisticated actors (UAT-6382) to deploy complex malware setups for long-term access.
- **What could have been done better:** Organizations must prioritize patching vulnerabilities like CVE-2025-0994 immediately upon release, especially those affecting critical infrastructure management software.
## Recommendations
- Immediately patch all instances of Cityworks vulnerable to **CVE-2025-0994**.
- Scan environments using the Indicators of Compromise (IOCs) published in the related Talos research.
- Implement proactive monitoring for behaviors associated with web shell activity and Cobalt Strike beacons.