VMware has patched a zero-day vulnerability (CVE-2023-20867) in its ESXi product after it was exploited by Chinese-sponsored hacking group UNC3886 to backdoor Windows and Linux virtual machines and steal data. The cyber espionage group, tracked as UNC3886 by cybersecurity firm Mandiant, abused the authentication bypass flaw to deploy VirtualPita and VirtualPie backdoors on guest VMs from compromised ESXi hosts, where they escalated privileges to root. "A fully compromised ESXi host can force VMware Tools to fail to authenticate host-to-guest operations, impacting the confidentiality and integrity of the guest virtual machine," VMware stated in their security advisory.
The attackers installed the backdoor malware using maliciously crafted vSphere Installation Bundles (VIBs), packages designed to help administrators create and maintain ESXi images. During the investigation, Mandiant also discovered a third malware strain (VirtualGate) that acted as a memory-only dropper, deobfuscating second-stage DLL payloads on the hijacked VMs. Mandiant explained, "This open communication channel between guest and host, where either role can act as client or server, has enabled a new means of persistence to regain access on a backdoored ESXi host as long as a backdoor is deployed and the attacker gains initial access to any guest machine." The firm also noted that this further demonstrates UNC3886's deep understanding and technical knowledge of ESXi, vCenter, and VMware's virtualization platform.
In March, Mandiant revealed that the Chinese UNC3886 hackers had exploited another zero-day vulnerability (CVE-2022-41328) in the same mid-2022 campaign to compromise FortiGate firewall devices and deploy previously unknown Castletap and Thincrust backdoors. The hackers used the access they gained after hacking the Fortinet devices and achieving persistence on FortiManager and FortiAnalyzer devices to move laterally through the victims' networks. They then backdoored ESXi and vCenter machines using VirtualPita and VirtualPie malware to ensure their malicious activities remained undetected. Fortinet commented on the attack, stating, "The attack is highly targeted, with some hints of preferred governmental or government-related targets. The exploit requires a deep understanding of FortiOS and the underlying hardware. Custom implants show that the actor has advanced capabilities, including reverse-engineering various parts of FortiOS."
The cyber-espionage group is known for focusing its attacks on organizations in the defense, government, telecom, and technology sectors in the U.S. and APJ regions. Their favorite targets are zero-day vulnerabilities in firewall and virtualization platforms that lack Endpoint Detection and Response (EDR) capabilities. UNC3886's use of a wide range of new malware families and malicious tools explicitly tailored for the platforms they target suggests significant research capabilities and an extraordinary ability to understand the complex technology employed by the targeted appliances, according to Mandiant. Mandiant CTO Charles Carmakal told BleepingComputer, "This is a continuation of Chinese espionage that has been going on for years. This tradecraft is very clever and hard to detect. We are sure there are other victims that are dealing with this that don’t yet know. They've successfully compromised defense, technology, and telecommunications organizations with mature security programs in place."