Chinese state-sponsored hackers known as UNC3886 have been exploiting a zero-day vulnerability in VMware and Fortinet devices for years, experts have revealed.
a report from Mandiant claims that the group used the flaw to deploy malware, steal credentials, and ultimately exfiltrate sensitive data.
The bug in question is tracked as CVE-2023-34048. It has a severity rating of 9.8/10 (critical) and is described as an out-of-bounds write error that could allow attackers with access to vCenter Server to execute remote code. The patch was released at the end of October 2023.
Regular VMware customers
“UNC3886 has a track record of using zero-day vulnerabilities to complete their mission without being detected, and this latest example further demonstrates their capabilities,” Mandiant explains in the report. Using CVE-2023-34048, UNC3886 was allowed to list all ESXi hosts and guest virtual machines on a vulnerable system, and then retrieve cleartext “vpxuser” credentials for the hosts. The next step was to install VIRTUALPITA and VIRTUALPIE malware, which provided direct access to the compromised endpoints.
From then on, the attackers exploited a separate flaw, CVE-2023-20867 (severity score 3.9), to execute arbitrary commands and obtain sensitive information from the devices.
VMware urges vCenter Server users to apply the latest patch immediately.
The last time we heard of UNC3886 was in September 2022, when researchers spotted the group compromising VMware’s ESXi hypervisors to gain access to virtual machines and spy on businesses in the West. At the time, the group was observed installing two malicious programs on bare-metal hypervisors, using vSphere Installation Bundles – the same ones used in this attack. Additionally, they discovered a unique malware/dropper called VirtualGate.
Unlike this attack, which exploited a zero-day, in the previous incident the group simply used administrator-level access to the ESXi hypervisors to install their tools.
Through The HackerNews