Chinese Hackers Covertly Exploited VMware Zero-Day Vulnerability for Two Years

Sophisticated Cyberespionage Group UNC3886 Exploits Critical VMware Vulnerability

A highly advanced cyber-espionage group linked to China has been actively exploiting a critical zero-day vulnerability in VMware vCenter Server since late 2021. This group, known as UNC3886, has a long history of using zero-day vulnerabilities to conduct clandestine operations, and this latest incident underscores their sophisticated capabilities.

UNC3886’s Exploit of CVE-2023–34048

The vulnerability in question is CVE-2023–34048, an out-of-bounds write flaw that could allow a malicious actor with network access to vCenter Server to achieve remote code execution. VMware, the owner of vCenter Server, released a patch for this vulnerability on October 24, 2023. However, Mandiant, a cybersecurity firm owned by Google, has found evidence that UNC3886 exploited this vulnerability in live environments as early as late 2021.

UNC3886’s Attack Methodology

Mandiant’s investigation revealed that UNC3886 used CVE-2023–34048 to gain privileged access to the vCenter system. This allowed them to enumerate all ESXi hosts and their respective guest virtual machines attached to the system.

Next, UNC3886 retrieved clear text “vpxuser” credentials for the hosts, connected to them, and installed two types of malware: VIRTUALPITA and VIRTUALPIE. These malware families gave the attackers direct control over the compromised hosts.

Finally, UNC3886 exploited another VMware vulnerability (CVE-2023–20867) to execute arbitrary commands and transfer files to and from guest VMs from a compromised ESXi host. This vulnerability was disclosed by Mandiant in June 2023.

Mitigating Threats

VMware vCenter Server users are strongly advised to update to the latest version of the software to patch the CVE-2023–34048 vulnerability. Additionally, organizations should implement network segmentation and other security measures to protect their environments from targeted attacks.

UNC3886’s Targeting of Fortinet

In addition to VMware, UNC3886 has also exploited a vulnerability in Fortinet FortiOS software. Specifically, the group has used CVE-2022–41328, a path traversal flaw, to deploy THINCRUST and CASTLETAP implants. These implants allowed UNC3886 to execute arbitrary commands and exfiltrate sensitive data.

UNC3886’s Focus on Firewalls and Virtualization

UNC3886’s targeting of firewalls and virtualization technologies is likely due to the lack of endpoint detection and response (EDR) support for these systems. This makes it more difficult for organizations to detect and respond to attacks, allowing UNC3886 to persist within target environments for extended durations.

Conclusion

The UNC3886 cyber-espionage group is a persistent and sophisticated threat actor that has demonstrated its ability to exploit critical vulnerabilities in VMware and Fortinet products. Organizations should remain vigilant and take steps to protect themselves from these types of attacks.