Chinese state aid group known as UNC3886 A zero-day flaw in VMware ESXi hosts was found to be exploited to backdoor Windows and Linux systems.
VMware Tools Authentication Bypass Vulnerability, tracked as: CVE-2023-20867 (CVSS score: 3.9), “Unable to execute privileged commands across Windows, Linux, and PhotonOS (vCenter) guest VMs without requiring authentication of guest credentials from the compromised ESXi host or default logging to the guest VM ,” said Mandiant. Said.
UNC3886 was first documented by the Google-owned threat intelligence firm in September 2022 as a cyberespionage act that infects VMware ESXi and vCenter servers with backdoors named VIRTUALPITA and VIRTUALPIE.
In early March of this year, the group was involved in exploiting a medium-severity security flaw currently patched in the Fortinet FortiOS operating system to introduce implants into network appliances and interact with the aforementioned malware. It was said that
The threat actor is said to be a “highly skilled” adversary group targeting defense, technology and communications organizations in the United States, Japan and the Asia-Pacific region.
“This group has access to extensive research and support to understand the underlying technology of the appliances being targeted,” Mandiant researchers said, adding that firewalls and virtualization that do not support EDR solutions He pointed to a pattern of groups weaponizing software flaws.
As part of their efforts to exploit ESXi systems, the attackers harvested credentials from vCenter servers, exploited CVE-2023-20867 to execute commands, and sent guest VMs from compromised ESXi hosts. It has also been observed transferring files with
A notable feature of the UNC3886 tradecraft is the virtual machine communication interface (VMCI) Sockets for lateral movement and continuous persistence allow you to establish a covert channel between an ESXi host and its guest VMs.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join us for an insightful webinar!
“This open communication channel between the guest and the host allows either role to act as a client or a server, so a backdoor can be deployed as long as an attacker gains initial access to any host. A new means of persistence is now possible for regaining access to ESXi hosts and guest machines,” the company said.
Developed by summoning team researcher Sina Kheirkhah disclosed VMware Aria Operations for Networks has three different remote code execution flaws (CVE-2023-20887, CVE-2023-20888, and CVE-2023-20889).
It added, “UNC3886 continues to present a challenge to investigators by disabling and tampering with logging services and selectively deleting log events related to its activity.” “The fact that the threat actor has retroactively performed a cleanup within days of previously disclosing their activity shows just how vigilant they are.”