New Threat Actor UAT-9921 Exploits VoidLink Framework for Intrusions
TL;DR: Cisco Talos has identified a threat actor, UAT-9921, employing the newly developed VoidLink framework to carry out cyberattacks, primarily targeting Linux-based systems. The actor’s operations indicate activities dating back to 2019, leveraging both compromised credentials and known software vulnerabilities.
Cisco Talos has uncovered a new threat actor known as UAT-9921, utilizing the VoidLink modular framework to facilitate their cyber campaigns against technology and financial sectors. Initially active since 2019, UAT-9921 has demonstrated their capability to exploit vulnerabilities, particularly in Java serialization through the Apache Dubbo project, and utilize pre-obtained credentials for server compromises. While they are thought to utilize VoidLink predominantly in contemporary assaults, they may have previously operated with different tools.
VoidLink stands out due to its AI-enabled features, enabling on-demand compilation of plugins, creating a highly adaptable implant management framework tailored for Linux environments. UAT-9921 deploys the VoidLink C2 (command and control) system post-infection to conceal their activities and conduct internal reconnaissance through the installation of a SOCKS server integrated with FSCAN tools. This modular architecture echoes a worrying trend in cyber threats, showcasing shorter development cycles and easier adaptability, closely resembling other frameworks like Cobalt Strike and Manjusaka.
Why this matters: The emergence of UAT-9921 and the VoidLink framework signifies an advancing threat landscape where attackers can quickly assemble sophisticated tools, complicating detection and response for security teams. The focus on Linux systems, particularly in cloud and IoT environments, amplifies the risk, as these platforms underpin critical infrastructure.
Threat detection solutions such as SIEMs, with comprehensive monitoring capabilities, can assist defenders by identifying anomalous activities linked to the VoidLink framework. Regular vulnerability assessments and timely patching strategies are essential to mitigate the risks posed by exploits used by UAT-9921.
Indicators of Compromise (IOCs):
- Snort Rules:
- Snort2: 1:65915 – 1:65922, 1:65834-65842
- Snort3: 1:65915 – 1:65922, 1:65834-65838, 1:310388-1:310389
- ClamAV Signature:
- Unix.Trojan.VoidLink-10059283
