The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently added a VMware vCenter Server bug, known as CVE-2023-34048, to its Known Exploited Vulnerabilities (KEV) catalog. The vCenter Server is a vital element in VMware's virtualization and cloud computing software suite, serving as a centralized management platform for VMware’s virtualized data centers. VMware addressed this flaw in October, and recently updated its advisory on January 18, 2023, stating that it is aware of exploitation 'in the wild.'
The bug has been exploited by the China-linked APT group UNC3886 since late 2021. In June 2023, Mandiant researchers observed the cyberespionage group UNC3886 exploiting a VMware ESXi zero-day vulnerability tracked as CVE-2023-20867. The group was first detailed by Mandiant in September 2022 when they discovered a new malware persistence technique within VMware ESXi Hypervisors. This method allowed malware authors to gain administrative access within VMware ESXi Hypervisors and seize control of vCenter servers and virtual machines for Windows and Linux.
The sophisticated and elusive nature of the attack suggests it was conducted for cyberespionage purposes by UNC3886. In the September 2022 attack investigated by Mandiant, the threat actors used malicious vSphere Installation Bundles (VIBs) to install two backdoors on the ESXi hypervisors, known as VIRTUALPITA and VIRTUALPIE. VIBs are file collections designed to manage virtual systems and can be used to create startup tasks, custom firewall rules, or deploy custom binaries upon the restart of an ESXi machine.
Further investigation by Mandiant revealed additional techniques used by UNC3886 to target multiple organizations while evading EDR solutions. In late 2023, Mandiant noticed that a VMware vmdird service crashed minutes before the backdoors were deployed. The researchers also noticed that most environments where these crashes were observed had log entries preserved, however, the 'vmdird' core dumps were removed. This suggests that the core dumps were purposely removed by the attacker in an attempt to cover their tracks.
As per the VMware advisory, this vulnerability has been patched in vCenter 8.0U2 and Mandiant recommends VMware users to update to the latest version of vCenter to account for this vulnerability seeing exploitation in the wild. According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog. Experts also recommend private organizations to review the Catalog and address the vulnerabilities in their infrastructure. CISA has ordered federal agencies to fix this vulnerability by February 12, 2024.