{"id":3304,"date":"2025-05-23T11:40:32","date_gmt":"2025-05-23T11:40:32","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=3304"},"modified":"2025-05-23T11:40:32","modified_gmt":"2025-05-23T11:40:32","slug":"beijing-may-have-breached-us-government-systems-before-cityworks-plugged-a-critical-flaw","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=3304","title":{"rendered":"Beijing may have breached US government systems before Cityworks plugged a critical flaw"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>A now-patched high-severity security flaw affecting Trimble Cityworks \u2014 a specialized software used by local governments in the US, utilities, and public agencies to manage their infrastructure and community services\u2014was abused by Chinese hackers to compromise systems before a patch was available.<\/p>\n<p>According to a Talos intelligence report, the flaw (tracked as <a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2025-0994\">CVE-2025-0994<\/a>) in the Geographic Information System (GIS)-based asset management tool was used by hackers in <a href=\"https:\/\/www.csoonline.com\/article\/3989785\/ethical-hackers-exploited-zero-day-vulnerabilities-against-popular-os-browsers-vms-and-ai-frameworks.html\">zero-day<\/a> exploitation for achieving remote code execution and subsequent malware delivery.<\/p>\n<p>\u201cTalos has found intrusions in enterprise networks of local governing bodies in the United States (US), beginning January 2025 when initial exploitation first took place,\u201d the cybersecurity outfit said in a blog post, attributing the exploitation to the entity it tracks as \u2018UAT-6382\u2019.\u201cBased on tooling and tactics, techniques and procedures (TTPs) employed by the threat actor, Talos assesses with high confidence that the exploitation and subsequent post-compromise activity is carried out by Chinese-speaking threat actors.\u201d<\/p>\n<p>The Cybersecurity and Infrastructure Security Agency (CISA) had flagged the <a href=\"https:\/\/www.cisa.gov\/news-events\/ics-advisories\/icsa-25-037-04\" target=\"_blank\" rel=\"noopener\">flaw<\/a> in February for its ability to compromise critical ICS systems. Trimble <a href=\"https:\/\/learn.assetlifecycle.trimble.com\/i\/1532182-cityworks-customer-communication-2025-02-06-docx\/0?\" target=\"_blank\" rel=\"noopener\">addressed<\/a> the vulnerability by releasing security updates in January.<\/p>\n<h2 class=\"wp-block-heading\">Hackers used Cobalt Strike and VShell payloads<\/h2>\n<p>Based on evidence presented by Talos, threat actors exploited CVE-2025-0994 to deploy malicious payloads that include Rust-based loaders, obfuscated JavaScript, and tools like <a href=\"https:\/\/www.csoonline.com\/article\/574143\/here-is-why-you-should-have-cobalt-strike-detection-in-place.html\">Cobalt Strike<\/a> and VShell for advanced attacks.<\/p>\n<p>\u201cUAT-6382 successfully exploited CVE-2025-0994, conducted reconnaissance and rapidly deployed a variety of web shells and custom-made malware to maintain long-term access,\u201c Talos <a href=\"https:\/\/blog.talosintelligence.com\/uat-6382-exploits-cityworks-vulnerability\/\" target=\"_blank\" rel=\"noopener\">said<\/a>. \u201dUpon gaining access, UAT-6382 expressed a clear interest in pivoting to systems related to utilities management.\u201d<\/p>\n<p>Once inside a Cityworks system\u2013often through stolen credentials or <a href=\"https:\/\/www.csoonline.com\/article\/514515\/what-is-phishing-examples-types-and-techniques.html\">phishing<\/a>\u2013attackers exploited the flaw to upload disguised Rust-based malware loaders quietly. The loader then pulls in malware for persistence or deeper intrusion, some even masking as legitimate Cityworks services, e.g., CityworksCacheLayerService.exe, to avoid raising alarms.<\/p>\n<p>For deeper intrusion, hackers relied on tools like Cobalt Strike and VShell, and slipped malicious JavaScript into overlooked directories.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Deserialization bug allowed RCE on Microsoft IIS<\/h2>\n<p>The vulnerability, which impacts Cityworks versions before 15.8.9 and Cityworks with Office Companion versions before 23.10, is a deserialization flaw that was assigned a severity rating of CVSS 8.6 out of 10.<\/p>\n<p>On successful exploitation, the bug allows authenticated attackers to execute remote code (RCE) on a target\u2019s Microsoft Internet Information Services (IIS) web server, a significant risk considering it could lead to unauthorized access and control over critical systems. Trimble had fixed the issue with two January rollouts, Cityworks 15.8.9 and Office Companion 23.10, and urged customers to update affected systems promptly.<\/p>\n<p>\u201cOn premise customers should install the updated version immediately,\u201d the company had said. \u201cThese updates will be automatically applied to all Cityworks Online (CWOL) deployments.\u201d<\/p>\n<p>As added mitigation steps, Trimble recommended that its on-premise customers not run IIS with local or domain-level administrative privileges on any site, a configuration automatically set for CWOL users.<\/p>\n<p>Inappropriate attachment directory configurations were also flagged by the company with instructions to limit these configurations to folders\/subfolders containing only attachments. Talos reported that zero-day exploits aren\u2019t too shocking, considering an <a href=\"https:\/\/advisory.eventussecurity.com\/advisory\/cityworks-vulnerability-allows-attackers-to-compromise-critical-infrastructure-systems\/\" target=\"_blank\" rel=\"noopener\">Eventus scan<\/a> in February found 111 publicly accessible Cityworks instances, out of which approximately 21% were found to be vulnerable to CVE-2025-0994.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>A now-patched high-severity security flaw affecting Trimble Cityworks \u2014 a specialized software used by local governments in the US, utilities, and public agencies to manage their infrastructure and community services\u2014was abused by Chinese hackers to compromise systems before a patch was available. According to a Talos intelligence report, the flaw (tracked as CVE-2025-0994) in the [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":3305,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3304","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3304"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3304"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3304\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/3305"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3304"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3304"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3304"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}