June 14, 2023Ravi LakshmananZero-day/network security

Chinese state aid group known as UNC3886 A zero-day flaw in VMware ESXi hosts was found to be exploited to backdoor Windows and Linux systems.

VMware Tools Authentication Bypass Vulnerability, tracked as: CVE-2023-20867 (CVSS score: 3.9), “Unable to execute privileged commands across Windows, Linux, and PhotonOS (vCenter) guest VMs without requiring authentication of guest credentials from the compromised ESXi host or default logging to the guest VM ,” said Mandiant. Said.

UNC3886 was first documented by the Google-owned threat intelligence firm in September 2022 as a cyberespionage act that infects VMware ESXi and vCenter servers with backdoors named VIRTUALPITA and VIRTUALPIE.

cyber security

In early March of this year, the group was involved in exploiting a medium-severity security flaw currently patched in the Fortinet FortiOS operating system to introduce implants into network appliances and interact with the aforementioned malware. It was said that

The threat actor is said to be a “highly skilled” adversary group targeting defense, technology and communications organizations in the United States, Japan and the Asia-Pacific region.

“This group has access to extensive research and support to understand the underlying technology of the appliances being targeted,” Mandiant researchers said, adding that firewalls and virtualization that do not support EDR solutions He pointed to a pattern of groups weaponizing software flaws.

VMware zero-day defects

As part of their efforts to exploit ESXi systems, the attackers harvested credentials from vCenter servers, exploited CVE-2023-20867 to execute commands, and sent guest VMs from compromised ESXi hosts. It has also been observed transferring files with

A notable feature of the UNC3886 tradecraft is the virtual machine communication interface (VMCI) Sockets for lateral movement and continuous persistence allow you to establish a covert channel between an ESXi host and its guest VMs.

upcoming webinars

🔐 Mastering API Security: Understanding Your True Attack Surface

Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join us for an insightful webinar!

join the session

“This open communication channel between the guest and the host allows either role to act as a client or a server, so a backdoor can be deployed as long as an attacker gains initial access to any host. A new means of persistence is now possible for regaining access to ESXi hosts and guest machines,” the company said.

Developed by summoning team researcher Sina Kheirkhah disclosed VMware Aria Operations for Networks has three different remote code execution flaws (CVE-2023-20887, CVE-2023-20888, and CVE-2023-20889).

It added, “UNC3886 continues to present a challenge to investigators by disabling and tampering with logging services and selectively deleting log events related to its activity.” “The fact that the threat actor has retroactively performed a cleanup within days of previously disclosing their activity shows just how vigilant they are.”

Did you enjoy this article? Follow us twitter and LinkedIn To read more of the exclusive content we post.



Register now for our membership to gain access to our elite training program and fast forward your career today!


Subscribe my Newsletter for new blog posts, tips & new photos. Let's stay updated!

Security Blog

Blue Training Academy

Blue Training Academy was developed in 2018 as a educational and training facility for continuing education and certification courses. Blue Training Academy is an educational institution that allows for all sectors of the public and Criminal Justice field to gain ongoing training and education.

Copyright ©️ All rights reserved. | Blue Training Academy Blog