Chinese Hackers Caught Red-Handed: Exposed Server Reveals Global Cyber Attacks on Critical Infrastructure

This is your Digital Dragon Watch: Weekly China Cyber Alert podcast.

*Shuffles papers dramatically*

Hey there, cyber-watchers! Ting here with your Digital Dragon Watch, where we track the footprints of China's digital dragons across the cyber landscape. And wow, this week has been a doozy!

Earlier this week, on May 14th, EclecticIQ dropped a bombshell report about Chinese state-backed hackers launching global attacks on critical infrastructure. These sophisticated threat actors, including UNC5221, UNC5174, and CL-STA-0048, have been targeting SAP NetWeaver systems using CVE-2025-31324, an unauthenticated file upload vulnerability that allows remote code execution. According to Arda Büyükkaya at EclecticIQ, these hackers actually left an openly accessible directory on their server containing result files from Nuclei scans of vulnerable SAP NetWeaver instances. Talk about leaving digital fingerprints!

But wait, there's more! Just today, we've learned that Chinese hackers are exploiting fresh vulnerabilities in Ivanti's Endpoint Manager Mobile software. The threat actor UNC5221 – yes, the same group from the SAP attacks – has been targeting a wide range of sectors across Europe, North America, and Asia-Pacific since May 15th. They're exploiting two vulnerabilities tracked as CVE-2025-4427 and CVE-2025-4428, which can be chained together to execute arbitrary code without authentication.

What's particularly concerning is the sophistication of these attacks. UNC5221 demonstrates deep understanding of EPMM's internal architecture, repurposing legitimate system components for covert data exfiltration. Given that EPMM manages configurations for enterprise mobile devices, successful exploitation could compromise thousands of managed devices across an organization.

The sectors in the crosshairs? Healthcare, telecommunications, aviation, municipal government, finance, and defense. This shows a clear pattern of targeting critical infrastructure and sensitive information.

On the defensive front, Ivanti patched these vulnerabilities last week, but organizations should verify they've applied the fixes immediately. Security teams should also be hunting for indicators of compromise related to UNC5221, particularly focusing on unusual network traffic or suspicious activities involving mobile device management systems.

For those dealing with SAP NetWeaver, implement network segmentation, deploy web application firewalls, and monitor for unusual file upload attempts.

Remember folks, these Chinese threat actors aren't just opportunistic – they're showing strategic patience and deep technical knowledge. Many of these groups, like UNC5221, have been active since at least 2023, demonstrating persistent campaigns targeting edge network appliances.

Stay vigilant, keep those patches current, and I'll see you next week on Digital Dragon Watch! This is Ting, signing off until our next cyber adventure!

For more http://www.quietplease.ai


Get the best deals https://amzn.to/3ODvOta