Chinese hackers have been identified as exploiting a zero-day vulnerability in VMware vCenter Server since late 2021. The vulnerability in question is CVE-2023-34048, which has a CVSS score of 9.8 and allows for remote code execution. Although VMware released a patch for the flaw on October 24, 2023, exploitation of the vulnerability has already occurred in the wild.
According to a report by Mandiant, the malicious actors behind these cyber espionage activities are known as UNC3886, and they have a history of utilizing zero-day vulnerabilities to carry out their operations without getting detected. In this case, the group leveraged CVE-2023-34048 to gain privileged access to the vCenter system, allowing them to enumerate all ESXi hosts and their associated guest virtual machines.
The attack further involves retrieving credentials for the hosts and installing malware such as VIRTUALPITA and VIRTUALPIE, which facilitates direct connectivity to the compromised hosts. Subsequently, the actors exploit another VMware flaw (CVE-2023-20867) to execute arbitrary commands and transfer files to and from guest VMs from the compromised ESXi host.
UNC3886 first came to light in September 2022 when it was discovered that the group had been taking advantage of unknown security flaws in VMware to backdoor Windows and Linux systems. The malware families deployed by UNC3886, including VIRTUALPITA and VIRTUALPIE, have been a cause for concern in the cybersecurity community due to their sophisticated capabilities.
In addition to targeting VMware vulnerabilities, UNC3886 has also exploited a path traversal flaw in Fortinet FortiOS software (CVE-2022-41328) to deploy THINCRUST and CASTLETAP implants, enabling them to execute arbitrary commands and exfiltrate sensitive data.
It’s worth noting that the group has specifically focused on targeting firewall and virtualization technologies due to their lack of support for endpoint detection and response (EDR) solutions, allowing them to persist within target environments for extended periods.
In response to these developments, VMware vCenter Server users are strongly advised to update to the latest version to mitigate any potential threats posed by these attacks. The findings from Mandiant serve as a critical reminder for organizations to remain vigilant and proactive in addressing software vulnerabilities and maintaining robust cybersecurity measures.
As the cybersecurity landscape continues to evolve, it is essential for organizations to stay informed about emerging threats and take the necessary steps to safeguard their digital infrastructure. By following leading industry sources and engaging in ongoing cybersecurity education, businesses and individuals can enhance their resilience against malicious cyber activities.