A cyber espionage group from China has been exploiting a critical vCenter Server vulnerability (CVE-2023-34048) as a zero-day since late 2021.
VMware patched the flaw in October, confirming in a recent statement their awareness of in-the-wild exploitation without providing specific attack details.
Mandiant, a security firm, disclosed that the UNC3886 Chinese cyber espionage group had utilized this vulnerability in a campaign exposed in June 2023. The group breached vCenter servers, utilizing compromised credentials to deploy VirtualPita and VirtualPie backdoors on ESXi hosts through maliciously crafted vSphere Installation Bundles (VIBs).
In the subsequent stage, the attackers exploited the CVE-2023-20867 VMware Tools authentication bypass flaw to escalate privileges, harvest files, and exfiltrate them from guest VMs.
Mandiant, while unaware of how attackers gained privileged access initially, noted a VMware vmdird service crash in late 2023, minutes before the backdoors’ deployment, closely aligning with CVE-2023-34048 exploitation.
The attacker’s manipulation of the ‘vmdird’ core dumps, removing them deliberately, suggests an attempt to conceal their tracks.
UNC3886, known for targeting defense, government, telecom, and technology sectors in the United States and the APJ region, focuses on zero-day security flaws in firewall and virtualization platforms lacking Endpoint Detection and Response (EDR) capabilities, making detection and blocking more challenging.
In a March revelation, Mandiant disclosed UNC3886’s exploitation of a Fortinet zero-day (CVE-2022-41328) in the same campaign to compromise FortiGate firewall devices and install previously unknown Castletap and Thincrust backdoors.
Fortinet emphasized the high targeting precision, indicating potential governmental or government-related targets, requiring an advanced understanding of FortiOS and underlying hardware for successful exploitation.