An advanced cyber espionage group with ties to China has previously been linked to exploiting security vulnerabilities in VMware and Fortinet appliances, but since late 2021, the group has been linked to abusing critical vulnerabilities (zero-days) in VMware vCenter Server .
“UNC3886 has a track record of exploiting zero-day vulnerabilities to complete their mission without detection, and this latest example further demonstrates their capabilities,” Google-owned Mandiant said in a report on Friday.
The vulnerability, CVE-2023-34048 (CVSS score: 9.8), is an out-of-bounds write that can be exploited by a malicious actor with network access to vCenter Server. The Broadcom company fixed this issue on October 24, 2023.
The virtualization services provider updated its advisory earlier this week to acknowledge that “exploits of CVE-2023-34048 have occurred in the wild.”
UNC3886 first came to light in September 2022, when it was discovered that it exploited previously unknown security vulnerabilities in VMware to backdoor Windows and Linux systems and deploy malware families such as VIRTUALPITA and VIRTUALPIE.
New findings from Mandiant reveal that nation-state attackers targeted VMware with none other than CVE-2023-34048, a zero-day attack that allowed them to gain privileged access to vCenter systems and enumerate all ESXi hosts and their respective The guest connects to the system’s virtual machine.
The next stage of the attack involves retrieving the clear text “vpxuser” credentials of the hosts and connecting to them to install the VIRTUALPITA and VIRTUALPIE malware, allowing the attacker to connect directly to the hosts.
As revealed by Mandiant in June 2023, this ultimately paved the way for the exploitation of another VMware flaw (CVE-2023-20867, CVSS score: 3.9) to execute arbitrary commands and interact with guests from a compromised ESXi host Transfer files between virtual machines.
VMware vCenter Server users are recommended to update to the latest version to mitigate any potential threats.
In recent years, UNC3886 has also exploited CVE-2022-41328 (CVSS score: 6.5) (a path traversal flaw in Fortinet FortiOS software) to deploy THINCRUST and CASTLETAP implants to execute arbitrary commands received from remote servers and leak sensitive data .
These attacks specifically target firewall and virtualization technologies because they lack support for endpoint detection and response (EDR) solutions and cannot persist in the target environment.
