A sophisticated China-linked Advanced Persistent Threat (APT) group, identified as UAT-9686, has been actively exploiting vulnerabilities in Cisco Secure Email Gateway (SEG) and Cisco Secure Email and Web Manager (SWE) products. This targeted campaign highlights the persistent threat posed by state-sponsored actors to critical network infrastructure and email security solutions. The APT group UAT-9686 is known for its advanced capabilities and has demonstrated a clear focus on cyber espionage, primarily aiming to gain unauthorized access to sensitive information from target organizations. Their specific interest in Cisco’s email and web security appliances indicates an intent to compromise the very gateways designed to protect against such intrusions, allowing them to intercept communications, bypass security controls, and exfiltrate data undetected. The group is leveraging vulnerabilities, including zero-day exploits, within these Cisco products to deploy custom malware. By exploiting these weaknesses, UAT-9686 gains initial access, establishes persistence, and conducts reconnaissance within the victim’s network. The deployment of custom malware suggests a tailored approach, designed to evade detection by standard security tools and to achieve specific objectives unique to each target. The Cisco Secure Email Gateway and Secure Email and Web Manager are widely deployed by organizations globally to protect against spam, phishing, and malware, and to enforce email and web usage policies. Their compromise represents a significant breach of an organization’s defensive perimeter, potentially exposing confidential communications, intellectual property, and critical business data to the attackers. Once inside, UAT-9686 can monitor email traffic, extract user credentials, deploy additional malware, and establish command-and-control channels to maintain long-term access. This level of access can facilitate deep-seated cyber espionage operations, enabling the continuous collection of intelligence. For organizations utilizing Cisco Secure Email Gateway and Secure Email and Web Manager, the revelation of UAT-9686’s activities necessitates immediate and thorough security reviews. Cisco has issued advisories and provided guidance to help customers mitigate these threats. It is crucial for administrators to ensure that all relevant security patches and updates provided by Cisco are applied promptly. Regular monitoring of network logs for suspicious activities, unusual access patterns, and the presence of unknown processes or files is also paramount. Furthermore, organizations should implement robust threat detection and response capabilities, focusing on endpoint security, network segmentation, and proactive threat hunting. Strengthening multi-factor authentication (MFA) across all enterprise applications, including administrative interfaces for security appliances, can add an additional layer of defense against unauthorized access. The targeting of essential security infrastructure by state-sponsored groups like UAT-9686 underscores the evolving and sophisticated nature of modern cyber threats. Organizations must remain vigilant, prioritize patch management, and continually enhance their defensive posture to safeguard against these determined adversaries and protect their most sensitive digital assets from sophisticated cyber espionage campaigns.

Source: https://securityaffairs.com/185861/apt/china-linked-apt-uat-9686-is-targeting-cisco-secure-email-gateway-and-secure-email-and-web-manager.html