{"id":918,"date":"2023-06-17T08:53:06","date_gmt":"2023-06-17T08:53:06","guid":{"rendered":"https:\/\/cybersecuritynest.com\/?p=918"},"modified":"2023-06-17T08:55:16","modified_gmt":"2023-06-17T08:55:16","slug":"chinese-hackers-use-vmwares-zero-day-vulnerability-to-bypass-linux-and-windows-systems","status":"publish","type":"post","link":"https:\/\/cybersecuritynest.com\/?p=918","title":{"rendered":"Chinese hackers use VMware&#8217;s zero-day vulnerability to bypass Linux and Windows systems."},"content":{"rendered":"<aside class=\"mashsb-container mashsb-main mashsb-stretched\"><div class=\"mashsb-box\"><div class=\"mashsb-buttons\"><a class=\"mashicon-facebook mash-large mash-center mashsb-noshadow\" href=\"https:\/\/www.facebook.com\/sharer.php?u=https%3A%2F%2Fcybersecuritynest.com%2F%3Fp%3D918\" target=\"_top\" rel=\"nofollow\"><span class=\"icon\"><\/span><span class=\"text\">Share&nbsp;on&nbsp;Facebook<\/span><\/a><a class=\"mashicon-twitter mash-large mash-center mashsb-noshadow\" href=\"https:\/\/twitter.com\/intent\/tweet?text=&amp;url=https:\/\/cybersecuritynest.com\/?p=918&amp;via=CYBERSECNEST\" target=\"_top\" rel=\"nofollow\"><span class=\"icon\"><\/span><span class=\"text\">Tweet&nbsp;on&nbsp;Twitter<\/span><\/a><a class=\"mashicon-subscribe mash-large mash-center mashsb-noshadow\" href=\"#\" target=\"_top\" rel=\"nofollow\"><span class=\"icon\"><\/span><span class=\"text\">Subscribe&nbsp;to&nbsp;Newsletter<\/span><\/a><div class=\"onoffswitch2 mash-large mashsb-noshadow\" style=\"display:none\"><\/div><\/div>\n            <\/div>\n                <div style=\"clear:both\"><\/div><\/aside>\n            <!-- Share buttons by mashshare.net - Version: 4.0.47--><p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone  wp-image-921\" src=\"https:\/\/cybersecuritynest.com\/wp-content\/uploads\/2023\/06\/Screenshot-2023-06-17-at-09.54.22-293x300.png\" alt=\"\" width=\"657\" height=\"673\" srcset=\"https:\/\/cybersecuritynest.com\/wp-content\/uploads\/2023\/06\/Screenshot-2023-06-17-at-09.54.22-293x300.png 293w, https:\/\/cybersecuritynest.com\/wp-content\/uploads\/2023\/06\/Screenshot-2023-06-17-at-09.54.22-1001x1024.png 1001w, https:\/\/cybersecuritynest.com\/wp-content\/uploads\/2023\/06\/Screenshot-2023-06-17-at-09.54.22-768x785.png 768w, https:\/\/cybersecuritynest.com\/wp-content\/uploads\/2023\/06\/Screenshot-2023-06-17-at-09.54.22.png 1146w\" sizes=\"(max-width: 657px) 100vw, 657px\" \/>It has been discovered that UNC3886, a group sponsored by China, can take advantage of a zero-day vulnerability in VMware ESXi hosts to backdoor Linux and Windows systems.<\/p>\n<p>The authentication bypass flaw in VMware Tools, identified as CVE-2023-20867 (CVSS score: Mandiant stated in 3.9 that the vulnerability &#8220;enabled the execution of privileged commands across Windows, Linux, and PhotonOS (vCenter) guest VMs without authentication of guest credentials from a compromised ESXi host and no default logging on guest VMs.&#8221;<\/p>\n<p>In September 2022, Google-owned threat intelligence firm UNC3886 was first identified as a cyber espionage actor that infected VMware ESXi and vCenter servers with backdoors called VIRTUALPITA and VIRTUALPIE. In March, the group was linked to the use of a medium-severity security flaw in the Fortinet FortiOS operating system to install implants on network appliances and interact with the aforementioned malware.<\/p>\n<p>The threat actor has been described as an adversarial collective that is &#8220;highly adept&#8221; at targeting organizations in the fields of defense, technology, and telecommunication in the United States, Japan, and the Asia-Pacific region.<\/p>\n<p>According to Mandiant researchers, &#8220;the group has access to extensive research and support for understanding the underlying technology of appliances being targeted,&#8221; highlighting its pattern of weaponizing flaws in firewall and virtualization software that do not support EDR solutions.<\/p>\n<p>The threat actor has also been observed exploiting CVE-2023-20867 to transfer files to and from guest VMs from a compromised ESXi host and to obtain credentials from vCenter servers as part of its efforts to exploit ESXi systems.<\/p>\n<p>The use of Virtual Machine Communication Interface (VMCI) sockets for lateral movement and continued persistence, which enables it to establish a covert channel between the ESXi host and its guest VMs, is a notable aspect of UNC3886&#8217;s tradecraft.<br \/>\n&#8220;A new means of persistence to regain access on a backdoored ESXi host as long as a backdoor is deployed and the attacker gains initial access to any guest machine,&#8221; the company stated. &#8220;This open communication channel between guest and host, where either role can act as client or server.&#8221;<\/p>\n<p>Sina Kheirkhah, a researcher for Summoning Team, recently made public three vulnerabilities in VMware Aria Operations for Networks (CVE-2023-20887, CVE-2023-20888, and CVE-2023-20889) that have the potential to allow remote code execution.<\/p>\n<p>&#8220;UNC3886 continues to present challenges to investigators by selectively removing log events related to their activity and disabling and tampering with logging services,&#8221; it added. The threat actors&#8217; ability to perform a retroactive cleanup within days of previous public disclosures of their activities demonstrates their vigilance.&#8221;<\/p>\n<aside class=\"mashsb-container mashsb-main mashsb-stretched\"><div class=\"mashsb-box\"><div class=\"mashsb-buttons\"><a class=\"mashicon-facebook mash-large mash-center mashsb-noshadow\" href=\"https:\/\/www.facebook.com\/sharer.php?u=https%3A%2F%2Fcybersecuritynest.com%2F%3Fp%3D918\" target=\"_top\" rel=\"nofollow\"><span class=\"icon\"><\/span><span class=\"text\">Share&nbsp;on&nbsp;Facebook<\/span><\/a><a class=\"mashicon-twitter mash-large mash-center mashsb-noshadow\" href=\"https:\/\/twitter.com\/intent\/tweet?text=&amp;url=https:\/\/cybersecuritynest.com\/?p=918&amp;via=CYBERSECNEST\" target=\"_top\" rel=\"nofollow\"><span class=\"icon\"><\/span><span class=\"text\">Tweet&nbsp;on&nbsp;Twitter<\/span><\/a><a class=\"mashicon-subscribe mash-large mash-center mashsb-noshadow\" href=\"#\" target=\"_top\" rel=\"nofollow\"><span class=\"icon\"><\/span><span class=\"text\">Subscribe&nbsp;to&nbsp;Newsletter<\/span><\/a><div class=\"onoffswitch2 mash-large mashsb-noshadow\" style=\"display:none\"><\/div><\/div>\n            <\/div>\n                <div style=\"clear:both\"><\/div><\/aside>\n            <!-- Share buttons by mashshare.net - Version: 4.0.47-->","protected":false},"excerpt":{"rendered":"<p>It has been discovered that UNC3886, a group sponsored by China, can take advantage of a zero-day vulnerability in VMware ESXi hosts to backdoor Linux and Windows systems. The authentication bypass flaw in VMware Tools, identified as CVE-2023-20867 (CVSS score: Mandiant stated in 3.9 that the vulnerability &#8220;enabled the execution of privileged commands across Windows, [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":919,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":"","_links_to":"","_links_to_target":""},"categories":[10],"tags":[185],"class_list":["post-918","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-vul-mal","tag-latest"],"aioseo_notices":[],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/cybersecuritynest.com\/index.php?rest_route=\/wp\/v2\/posts\/918"}],"collection":[{"href":"https:\/\/cybersecuritynest.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecuritynest.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cybersecuritynest.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecuritynest.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=918"}],"version-history":[{"count":3,"href":"https:\/\/cybersecuritynest.com\/index.php?rest_route=\/wp\/v2\/posts\/918\/revisions"}],"predecessor-version":[{"id":923,"href":"https:\/\/cybersecuritynest.com\/index.php?rest_route=\/wp\/v2\/posts\/918\/revisions\/923"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecuritynest.com\/index.php?rest_route=\/wp\/v2\/media\/919"}],"wp:attachment":[{"href":"https:\/\/cybersecuritynest.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=918"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecuritynest.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=918"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecuritynest.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=918"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}