Chinese Hackers Utilized VMware Vulnerability as Zero-Day for Two Years
January 19, 2024
A Chinese hacking group, UNC3886, has been found to have exploited a critical vulnerability in the vCenter Server (CVE-2023-34048) as a zero-day for approximately two years. The security firm Mandiant revealed that the flaw was patched in October, but the hackers had been exploiting it since late 2021.
The hackers used this vulnerability to infiltrate their targets' vCenter servers and used compromised credentials to deploy VirtualPita and VirtualPie backdoors on ESXi hosts using malicious vSphere Installation Bundles (VIBs). Following this, they exploited another vulnerability, the CVE-2023-20867 VMware Tools authentication bypass flaw, to escalate their privileges, access files, and exfiltrate them from guest VMs.
The connection between the hackers and the exploited vulnerabilities was established in late 2023 when a VMware vmdird service crash was observed just before the deployment of the backdoors. This crash was closely associated with the exploitation of CVE-2023-34048. Mandiant stated on Friday, "While publicly reported and patched in October 2023, Mandiant has observed these crashes across multiple UNC3886 cases between late 2021 and early 2022, leaving a window of roughly a year and a half that this attacker had access to this vulnerability."
The group UNC3886 is known to target organizations in the defense, government, telecom, and technology sectors in the United States and the APJ region. They particularly target zero-day security flaws in firewall and virtualization platforms that lack Endpoint Detection and Response (EDR) capabilities. This makes it easier for them to carry out their attacks undetected.
In a previous campaign, Mandiant revealed that the group also exploited a Fortinet zero-day (CVE-2022-41328) to compromise FortiGate firewall devices and install previously unknown Castletap and Thincrust backdoors. Fortinet commented at the time, "The attack is highly targeted, with some hints of preferred governmental or government-related targets. The exploit requires a deep understanding of FortiOS and the underlying hardware. Custom implants show that the actor has advanced capabilities, including reverse-engineering various parts of FortiOS."
Related News
- Critical vCenter Server Vulnerability Now Actively Exploited
- Critical Unpatched Authentication Bypass Vulnerability Affects VMWare's Cloud Director Appliance
- VMware Addresses Critical Code Execution Vulnerability in vCenter Server
- CISA Directs Federal Agencies to Address iPhone Vulnerabilities Exploited by Triangulation Spyware
- Chinese Hackers Exploit VMware ESXi Zero-Day to Compromise VMs
Latest News
- Critical vCenter Server Vulnerability Now Actively Exploited
- Critical Ivanti Authentication Bypass Bug Now Actively Exploited, Warns CISA
- CISA Mandates Federal Agencies to Address Citrix and Google Chrome Zero-Days Within Set Timeframes
- GitHub Takes Precautionary Measures Following Discovery of Credential-Exposing Flaw
- Citrix Issues Urgent Warning for Two Actively Exploited Zero-Day Vulnerabilities
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.