Chinese-speaking hackers have exploited a now-patched Trimble Cityworks zero-day to breach multiple local governing bodies across the United States.
Trimble Cityworks is a Geographic Information System (GIS)-based asset management and work order management software primarily used by local governments, utilities, and public works organizations and designed to help infrastructure agencies and municipalities manage public assets, handle permitting and licensing, and process work orders.
The hacking group (UAT-6382) behind this campaign used a Rust-based malware loader to deploy Cobalt Strike beacons and VSHell malware designed to backdoor compromised systems and provide long-term persistent access, as well as web shells and custom malicious tools written in Chinese.
These attacks started in January 2025, when Cisco Talos observed the first signs of reconnaissance activity within the breached organizations’ networks.
“Talos has found intrusions in enterprise networks of local governing bodies in the United States (U.S.), beginning January 2025 when initial exploitation first took place. Upon gaining access, UAT-6382 expressed a clear interest in pivoting to systems related to utilities management,” said Cisco Talos security researchers Asheer Malhotra and Brandon White.
“The web shells, including AntSword, chinatso/Chopper and generic file uploaders, contained messaging written in the Chinese language. Furthermore, the custom tooling, TetraLoader, was built using a malware-builder called ‘MaLoader’ that is also written in Simplified Chinese.”
Federal agencies warned to patch immediately
The security flaw exploited in these attacks (CVE-2025-0994) is a high-severity deserialization vulnerability that allows authenticated threat actors to execute code remotely on the targets’ Microsoft Internet Information Services (IIS) servers.
In early February 2025, when it released security updates to patch this vulnerability, Trimble warned that it was aware of attackers trying to exploit CVE-2025-0994 to breach some Cityworks deployments.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also added CVE-2025-0994 to its catalog of actively exploited vulnerabilities on February 7, ordering federal agencies to patch their systems within three weeks as mandated by the November 2021 Binding Operational Directive (BOD) 22-01.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” the cybersecurity agency warned.
Days later, on February 11, CISA released an advisory warning to organizations in the water and wastewater systems, energy, transportation systems, government services and facilities, and communications sectors to “install the updated version immediately.”
Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
Source link
-
-
-
-
-
-
-
-
