Since late 2021, an advanced China-Nexus cyber espionage group has been linked to the abuse of a crucial vulnerability in VMware vCenter Server. This group was previously associated with the use of security flaws in Fortinet and VMware appliances.
This latest example further demonstrates UNC3886’s capabilities, according to a Friday report from Google-owned Mandiant, which “has the track record of using zero-day vulnerabilities to complete their mission without being detected.”
The vulnerability in question is CVE-2023- 34048 ( CVSS score: 9.8), an out-of-bounds write that a malicious actor with network access to vCenter Server could use. The Broadcom-owned company fixed it on October 24, 2023.
Early this week, the provider of virtualization services updated its advisory to note that “exploitation of CVE-2023- 34048 has occurred in the wild.”
When it was discovered that UNC3886 used VMware’s previously unidentified security flaws to backdoor Windows and Linux systems and deploy malware families like VIRTUALPITA, it became public knowledge for the first time in September 2022.
The most recent information from Mandiant reveals that the nation-state actor targeting VMware usedCVE-2023-34048 as its zero-day weapon, giving it access to the vCenter system and listing all ESXi hosts and their respective guest virtual machines that were connected to it.
The next stage of the attack entails obtaining the hosts ‘ cleartext “vpxuser” credentials and connecting to them so that the attacker can install the VIRTUALPITA and VIRTALPIE malware.
As Mandiant revealed in June 2023, this ultimately opens the door for the use of a different VMware flaw ( CVE-2023- 20867, CVSS score: 3.9 ) to run arbitrary commands and transfer files to and from guest VMs from weakened ESXi hosts.
Users of VMware vCenter Server are advised to upgrade to the most recent version in order to reduce any potential threats.
In recent years, UNC3886 has also used CVE-2022- 41328 ( CVSS score: 6.5 ), a path traversal flaw in the Fortinet FortiOS software, to deploy THINCRUST and CASTLETAP implants for carrying out arbitrary commands and exposing sensitive data.
Due to their lack of support for endpoint detection and response ( EDR) solutions, these attacks specifically target firewall and virtualization technologies in order to persist within target environments for extended periods of time.