Chinese state aid group known as UNC3886 A zero-day flaw in VMware ESXi hosts was found to be exploited to backdoor Windows and Linux systems.
VMware Tools Authentication Bypass Vulnerability Tracked as CVE-2023-20867 (CVSS Score: 3.9) Allows Windows, Linux and PhotonOS (vCenter) Without Guest Credential Authentication from a Compromised ESXi Host It is now possible to run privileged commands across guest VMs. And guest VMs don’t have default logs,” said Mandiant.
UNC3886 was first documented by the Google-owned threat intelligence firm in September 2022 as a cyberespionage act that infects VMware ESXi and vCenter servers with backdoors named VIRTUALPITA and VIRTUALPIE.
In early March of this year, the group was involved in exploiting a medium-severity security flaw currently patched in the Fortinet FortiOS operating system to introduce implants into network appliances and interact with the aforementioned malware. It was said that
The threat actor is said to be a “highly skilled” adversary group targeting defense, technology and communications organizations in the United States, Japan and the Asia-Pacific region.
“This group has access to extensive research and support to understand the underlying technology of the appliances being targeted,” Mandiant researchers said, adding that firewalls and virtualization that do not support EDR solutions He pointed to a pattern of groups weaponizing software flaws.
As part of their efforts to exploit ESXi systems, the attackers harvested credentials from vCenter servers, exploited CVE-2023-20867 to execute commands, and sent guest VMs from compromised ESXi hosts. It has also been observed transferring files with
A notable feature of UNC3886’s trade craft is its use of Virtual Machine Communication Interface (VMCI) sockets for lateral movement and continuous persistence, creating a covert channel between an ESXi host and its guest VMs. can be established.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join us for an insightful webinar!
join the session
“This open communication channel between the guest and the host allows either role to act as a client or a server, so a backdoor can be deployed as long as an attacker gains initial access to any host. A new means of persistence is now possible for regaining access to ESXi hosts and guest machines,” the company said.
The development is based on research by Summoning Team researcher Sina Kheirkhah, who identified three different remote code execution flaws in VMware Aria Operations for Networks (CVE-2023-20887, CVE-2023-20888, and CVE-2023-20888). -2023-20889).
It added, “UNC3886 continues to present a challenge to investigators by disabling and tampering with logging services and selectively deleting log events related to its activity.” “The fact that the threat actor has retroactively performed a cleanup within days of previously disclosing their activity shows just how vigilant they are.”
