Chinese Hackers Utilized VMware Vulnerability as Zero-Day for Two Years

January 19, 2024

A Chinese hacking group, UNC3886, has been found to have exploited a critical vulnerability in the vCenter Server (CVE-2023-34048) as a zero-day for approximately two years. The security firm Mandiant revealed that the flaw was patched in October, but the hackers had been exploiting it since late 2021.

The hackers used this vulnerability to infiltrate their targets' vCenter servers and used compromised credentials to deploy VirtualPita and VirtualPie backdoors on ESXi hosts using malicious vSphere Installation Bundles (VIBs). Following this, they exploited another vulnerability, the CVE-2023-20867 VMware Tools authentication bypass flaw, to escalate their privileges, access files, and exfiltrate them from guest VMs.

The connection between the hackers and the exploited vulnerabilities was established in late 2023 when a VMware vmdird service crash was observed just before the deployment of the backdoors. This crash was closely associated with the exploitation of CVE-2023-34048. Mandiant stated on Friday, "While publicly reported and patched in October 2023, Mandiant has observed these crashes across multiple UNC3886 cases between late 2021 and early 2022, leaving a window of roughly a year and a half that this attacker had access to this vulnerability."

The group UNC3886 is known to target organizations in the defense, government, telecom, and technology sectors in the United States and the APJ region. They particularly target zero-day security flaws in firewall and virtualization platforms that lack Endpoint Detection and Response (EDR) capabilities. This makes it easier for them to carry out their attacks undetected.

In a previous campaign, Mandiant revealed that the group also exploited a Fortinet zero-day (CVE-2022-41328) to compromise FortiGate firewall devices and install previously unknown Castletap and Thincrust backdoors. Fortinet commented at the time, "The attack is highly targeted, with some hints of preferred governmental or government-related targets. The exploit requires a deep understanding of FortiOS and the underlying hardware. Custom implants show that the actor has advanced capabilities, including reverse-engineering various parts of FortiOS."

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.