Chinese state-sponsored hackers known as UNC3886 have been abusing a zero-day vulnerability in VMware and Fortinet devices for years, experts revealed.
A report from Mandiant claims that the group used the flaw to deploy malware, steal credentials, and ultimately exfiltrate sensitive data.
The flaw in question is tracked as CVE-2023-34048. It has a severity score of 9.8/10 (Critical) and is described as an out-of-bounds write flaw that allows remote code execution to attackers with access to vCenter Server. The patch was released at the end of October 2023.
Regular VMware Customers
“UNC3886 has a history of utilizing zero-day vulnerabilities to complete its mission undetected, and this latest example further demonstrates its capabilities,” Mandiant explained in the report. With the help of CVE-2023-34048, UNC3886 was allowed to enumerate all ESXi hosts and guest virtual machines on a vulnerable system and then extract the plaintext “vpxuser” credentials for the hosts. The next step was to install the VIRTUALPITA and VIRTUALPIE malware, which granted direct access to the compromised endpoints.
Thereafter, attackers abused a separate flaw, CVE-2023-20867 (severity score 3.9), to execute arbitrary commands and extract sensitive information from devices.
VMware urges vCenter Server users to apply the latest patch immediately.
We last heard from UNC3886 in September 2022, when researchers discovered the group was compromising VMware's ESXi hypervisors to gain access to virtual machines and spy on companies in the West. At that time, the group was observed installing two malicious programs on basic hypervisors, using vSphere installation packages, the same as in this attack. Additionally, they discovered a unique malware/dropper called VirtualGate.
Unlike this attack, where zero-day was abused, in the previous incident the group simply used administrator-level access to ESXi hypervisors to install their tools.
Through TheHackerNews
