Since at least the end of 2021, a Chinese hacking group has been taking advantage of the crucial vCenter Server vulnerability ( CVE-2023-34048 ).
VMware confirmed on Wednesday that it is aware of CVE-2023-34048 in-the-wild exploitation despite not providing any additional information on the attacks. The flaw was fixed in October.
The UNC3886 Chinese cyber espionage group, however, used the vulnerability as part of , as security firm Mandiant revealed today; June 2023 saw the exposure of a previously reported campaign.
Through the use of maliciously created vSphere Installation Bundles (VIBs ), the cyberspies were able to access their targets ‘ virtualCenter servers and compromise their credentials in order to install VirtualPita and Virtue backdoors on ESXi hosts.
To escalate privileges, harvest files, and exfiltrate them from guest VMs in the following stage, they took advantage of the CVE-2023-20867 VMware Tools authentication bypass flaw.
A VMware vmdird service crash in late 2023, minutes before the backdoors ‘ deployment closely matched CVE-2023-34048 exploitation, revealed the connection, which Mandiant had previously been unaware of.
Between late 2021 and early 2022, Mandiant observed these crashes across numerous UNC3886 cases, leaving a window of roughly 1.5 years during which this attacker had access to this vulnerability.
The majority of the environments where these crashes were seen still had log entries, but the actual “vmdird” core dumps had been removed.
“VMware’s default configurations keep core dumps on the system for an indefinite amount of time, suggesting that the attacker purposefully removed the core dumps in an effort to hide their tracks.” “”
UNC3886 is renowned for concentrating on businesses in the US and the APJ region’s defense, government, telecom, and technology sectors.
Zero-day security flaws in firewall and virtualization platforms that lack Endpoint Detection and Response ( EDR) capabilities that would make it simpler to detect and block their attacks are the favorite targets of Chinese cyberspies.
Mandiant admitted in March that they used a Fortinet zero-day ( CVE-2022-41328 ) in the same campaign to install previously unidentified Castletap and Thincrust backdoors while compromising FortiGate firewalls.
At the time, Fortinet stated that the attack was “highly targeted, with some hints of preferred governmental or government-related targets.”
” A thorough understanding of FortiOS and the underlying hardware is necessary for the exploit.” Custom implants demonstrate the actor’s cutting-edge abilities, which include reverse-engineering various FortiOS components. “”