Meta News

UAT-10608: Automated Credential Harvesting Campaign Targeting Web Applications

Summary: Cisco Talos attributes UAT-10608 to an automated campaign that uses the NEXUS Listener framework to extract and exfiltrate credentials on a large scale.

Cisco Talos describes an automated credential-harvesting operation on a massive scale attributed to the group UAT-10608. The campaign relies on a framework called NEXUS Listener, designed to systematically extract and exfiltrate credentials obtained from various web applications.

The scope of the case is particularly relevant: the investigation documents at least 766 compromised hosts across multiple regions and cloud providers. Among the exposed data are database credentials, SSH keys, AWS credentials, shell command histories, Stripe API key secrets, and GitHub tokens, along with more than 10,120 files collected.

More than a isolated incident, the report portrays an industrialized operation with sufficient automation to scale credential theft and reuse them across internet-connected infrastructures.

Key facts

  • Automated credential-harvesting campaign attributed to the group UAT-10608.
  • Use of the NEXUS Listener framework for large-scale extraction and exfiltration of secrets.
  • Compromise of at least 766 hosts across multiple regions and cloud providers.
  • Exposure of SSH keys, AWS credentials, and environment secrets.

Why it matters

Shows how far an automated campaign can turn poorly protected credentials into a transversal risk for web, cloud, and development environments.

Key metrics

  • Compromised hosts: {766}
  • Database credentials compromised: {~701 (91.5%)}
  • SSH keys compromised: {~599 (78.2%)}
  • AWS credentials compromised: {~196 (25.6%)}
  • Shell command histories compromised: {~245 (32.0%)}
  • Stripe API keys compromised: {~87 (11.4%)}
  • GitHub tokens compromised: {~66 (8.6%)}
  • Total collected files: {10,120}
Tags:
cybersecurity credential-harvesting malware Next.js

Structured details

  • Industry: cybersecurity
  • Source type: media
  • Claim status: confirmed
  • Verification: claimed_by_source
  • Entities: UAT-10608, NEXUS Listener

Source: https://blog.talosintelligence.com/uat-10608-inside-a-large-scale-automated-credential-harvesting-operation-targeting-web-applications/

Published on