Vulnerabilities/Malwares

Chinese hackers use VMware’s zero-day vulnerability to bypass Linux and Windows systems.

Published

on

It has been discovered that UNC3886, a group sponsored by China, can take advantage of a zero-day vulnerability in VMware ESXi hosts to backdoor Linux and Windows systems.

The authentication bypass flaw in VMware Tools, identified as CVE-2023-20867 (CVSS score: Mandiant stated in 3.9 that the vulnerability “enabled the execution of privileged commands across Windows, Linux, and PhotonOS (vCenter) guest VMs without authentication of guest credentials from a compromised ESXi host and no default logging on guest VMs.”

In September 2022, Google-owned threat intelligence firm UNC3886 was first identified as a cyber espionage actor that infected VMware ESXi and vCenter servers with backdoors called VIRTUALPITA and VIRTUALPIE. In March, the group was linked to the use of a medium-severity security flaw in the Fortinet FortiOS operating system to install implants on network appliances and interact with the aforementioned malware.

The threat actor has been described as an adversarial collective that is “highly adept” at targeting organizations in the fields of defense, technology, and telecommunication in the United States, Japan, and the Asia-Pacific region.

According to Mandiant researchers, “the group has access to extensive research and support for understanding the underlying technology of appliances being targeted,” highlighting its pattern of weaponizing flaws in firewall and virtualization software that do not support EDR solutions.

The threat actor has also been observed exploiting CVE-2023-20867 to transfer files to and from guest VMs from a compromised ESXi host and to obtain credentials from vCenter servers as part of its efforts to exploit ESXi systems.

The use of Virtual Machine Communication Interface (VMCI) sockets for lateral movement and continued persistence, which enables it to establish a covert channel between the ESXi host and its guest VMs, is a notable aspect of UNC3886’s tradecraft.
“A new means of persistence to regain access on a backdoored ESXi host as long as a backdoor is deployed and the attacker gains initial access to any guest machine,” the company stated. “This open communication channel between guest and host, where either role can act as client or server.”

Sina Kheirkhah, a researcher for Summoning Team, recently made public three vulnerabilities in VMware Aria Operations for Networks (CVE-2023-20887, CVE-2023-20888, and CVE-2023-20889) that have the potential to allow remote code execution.

“UNC3886 continues to present challenges to investigators by selectively removing log events related to their activity and disabling and tampering with logging services,” it added. The threat actors’ ability to perform a retroactive cleanup within days of previous public disclosures of their activities demonstrates their vigilance.”

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending

Exit mobile version