UNC3886, a Chinese cyberespionage group, has recently been observed utilizing a zero-day vulnerability in VMware ESXi to gain escalated privileges on guest virtual machines. This group has been deploying malicious vSphere Installation Bundles (VIBs), commonly used for system maintenance and updates, to install backdoors on ESXi hypervisors and gain unauthorized access to command execution, file manipulation, and reverse shell capabilities. This activity was first detected in September 2022.
The malicious activities of UNC3886 primarily target Windows virtual machines, vCenter servers, and VMware ESXi hosts. They have also exploited a zero-day vulnerability in VMware Tools to bypass authentication and execute privileged commands on guest virtual machines running Windows, Linux, and PhotonOS (vCenter).
The specific vulnerability, identified as CVE-2023-20867, has been categorized as having a “low severity” rating because it can only be exploited by an attacker with root access to the ESXi server. However, a fully compromised ESXi host can manipulate VMware Tools to fail in authenticating host-to-guest operations, compromising the confidentiality and integrity of the guest virtual machine. VMware has provided a security advisory acknowledging this vulnerability.
According to Mandiant, UNC3886 has employed scripts to enumerate all ESXi hosts and their guest virtual machines, modify lists of allowed IPs across all connected ESXi hosts, and extract credentials from compromised vCenter servers using the associated vPostgreSQL database. Additionally, the exploitation of CVE-2023-20867 does not generate authentication log events on the guest virtual machine when commands are executed from the ESXi host.
Further investigation by cybersecurity researchers has revealed that UNC3886 installs two backdoors, named VirtualPita and VirtualGate, utilizing VMCI sockets for persistence and lateral movement. These backdoors not only enable network segmentation bypass and the evasion of security inspections for open listening ports but also provide the attackers with a new level of persistence, as access to the infected ESXi host is regained by accessing a virtual machine.
The attacks carried out by UNC3886 appear to be highly targeted, potentially focusing on governmental or government-related targets. Fortinet, a cybersecurity company, stated that the nature of the attack requires a deep understanding of FortiOS and the underlying hardware, indicating advanced capabilities possessed by the group, including reverse-engineering various parts of FortiOS.
Mandiant has highlighted UNC3886’s usage of a wide range of new malware families and specialized tools designed specifically for the targeted platforms, indicating significant research capabilities and an extraordinary comprehension of the sophisticated technology employed by the targeted appliances. The group is known for exploiting zero-day vulnerabilities in firewall and virtualization solutions, particularly in attacks against organizations involved in defense, technology, and telecommunications in the United States and the Asia-Pacific region.
As cybersecurity threats continue to evolve, it is crucial for organizations to remain vigilant and ensure their systems are adequately protected against potential vulnerabilities and attacks. Continuous monitoring, prompt patching, and the adoption of robust cybersecurity measures can help mitigate the risks posed by cyberespionage groups like UNC3886.