Chinese Hackers Covertly Exploited VMware Zero-Day Vulnerability for a Period of Two Years.

A sophisticated cyber espionage group associated with China, previously known for exploiting security vulnerabilities in VMware and Fortinet appliances, has been identified as exploiting a critical zero-day vulnerability in VMware vCenter Server since late 2021.

According to a report from Mandiant, a subsidiary of Google, UNC3886 has a history of utilizing zero-day vulnerabilities to conduct covert operations effectively. The specific vulnerability in question is CVE-2023–34048 (CVSS score: 9.8), an out-of-bounds write issue addressed by VMware on October 24, 2023.

The zero-day vulnerability allowed malicious actors with network access to vCenter Server to gain privileged access, enumerate all ESXi hosts, and identify their associated guest virtual machines. The attacker’s subsequent steps involved retrieving “vpxuser” credentials for the hosts, connecting to them, and installing malware (VIRTUALPITA and VIRTUALPIE).

Mandiant’s findings indicate that UNC3886 leveraged the same zero-day vulnerability (CVE-2023–34048) to compromise vCenter systems, facilitating direct connections to hosts. The compromised hosts were then used to exploit another VMware flaw (CVE-2023–20867, CVSS score: 3.9), enabling the execution of arbitrary commands and file transfers to and from guest VMs.

To mitigate potential threats, VMware vCenter Server users are strongly advised to update to the latest version. UNC3886, in previous instances, targeted Fortinet FortiOS software using CVE-2022–41328 (CVSS score: 6.5), a path traversal flaw. The group deployed THINCRUST and CASTLETAP implants to execute arbitrary commands and exfiltrate sensitive data.

Notably, UNC3886 focuses on exploiting vulnerabilities in firewall and virtualization technologies, as these often lack support for endpoint detection and response (EDR) solutions, allowing the group to persist undetected within target environments for extended periods.