A recent report from Mandiant revealed that a critical vulnerability in VMware, which was patched in October, had been exploited two years ago by a threat actor based in China. The vulnerability, which was first disclosed by VMware on October 25, includes an out-of-bounds write vulnerability and a partial information disclosure flaw that affect vCenter Server. The exploitation of the former flaw, which received a high CVSS score of 9.8, could potentially allow an attacker to gain remote code execution on vulnerable machines. Grigory Dorodnov, a vulnerability researcher at Trend Micro’s Zero Day Initiative, was credited for reporting these issues to VMware.
Just recently, VMware updated its advisory with new information, warning customers that the out-of-bounds write vulnerability had been exploited in the wild. This exploitation was attributed to a China-nexus espionage group known as UNC3886 by Mandiant, who also discovered that the exploitation dates back to late 2021. UNC3886 is notorious for using zero-day vulnerabilities as part of its evasion techniques and for targeting technologies that typically do not have endpoint detection and response deployed.
One such zero-day flaw was CVE-2023-20867, an authentication bypass vulnerability in VMware Tools that affects the company’s ESXi hypervisor. Mandiant discovered this flaw during an investigation into a new malware family that targeted VMware products. During further investigation into the threat actor’s evasion techniques, researchers found evidence of exploitation of CVE-2023-34048 in the service crash logs of affected vCenter systems. The attacker had access to this vulnerability for roughly a year and a half, between late 2021 and early 2022, before it was publicly reported and patched in October 2023.
Mandiant noted that most of the environments with these types of crashes had intact log entries, but the VMware crash dumps themselves had been removed. This suggests that the attacker intentionally removed the core dumps in an attempt to cover their tracks. It remains unclear whether the exploitation activity is ongoing or if VMware’s advisory update referred to past exploitation by UNC3886. TechTarget Editorial contacted VMware for comment, but the company has not responded at press time.
These revelations shed light on the sophistication and capabilities of threat actors like UNC3886, as they continue to use advanced techniques and vulnerabilities to infiltrate and compromise systems. This also highlights the importance of timely disclosure and patching of vulnerabilities by vendors, as well as the need for robust security measures to detect and respond to such attacks.
Arielle Waldman, a Boston-based reporter covering enterprise security news, contributed to this article.