In a concerning development, a Chinese hacking group identified as UNC3886 has been exploiting a critical vCenter Server vulnerability (CVE-2023-34048) as a zero-day since late 2021. Despite the flaw being patched by VMware in October, the group continued its in-the-wild exploitation, as confirmed by security firm Mandiant.
UNC3886's Exploitation Tactics
The exploited vulnerability (CVE-2023-34048) was utilized by UNC3886 as part of an ongoing cyber espionage campaign exposed by Mandiant in June 2023. The hacking group targeted vCenter servers, leveraging compromised credentials to deploy VirtualPita and VirtualPie backdoors on ESXi hosts through maliciously crafted vSphere Installation Bundles (VIBs).
Subsequent stages of the attack involved the exploitation of CVE-2023-20867, a VMware Tools authentication bypass flaw. This allowed the attackers to escalate privileges, harvest files, and exfiltrate them from guest VMs.
Uncovering the Attack Chain
While the means by which the attackers gained privileged access to vCenter servers were initially unclear, a connection was established in late 2023. A VMware vmdird service crash, occurring just minutes before the backdoors' deployment, closely aligned with the exploitation of CVE-2023-34048.
Security firm Mandiant, in its analysis, noted that despite the vulnerability being publicly reported and patched in October 2023, UNC3886 had been exploiting it between late 2021 and early 2022. During this period, the attackers manipulated VMware's default configurations, intentionally removing 'vmdird' core dumps to erase traces of their activities.
UNC3886 has a history of targeting organizations in the defense, government, telecom, and technology sectors in the United States and the APJ region. The group focuses on exploiting zero-day security flaws in firewall and virtualization platforms, particularly those lacking Endpoint Detection and Response (EDR) capabilities that would aid in detecting and thwarting their attacks.
This is not the first time UNC3886 has been implicated in sophisticated cyber operations. In March, Mandiant revealed the group's exploitation of a Fortinet zero-day (CVE-2022-41328) in the same campaign. This allowed them to compromise FortiGate firewall devices and install previously unknown Castletap and Thincrust backdoors.
The UNC3886 cyber espionage group's prolonged exploitation of the VMware vCenter Server vulnerability underscores the persistent threats faced by organizations in critical sectors. As the attackers demonstrate advanced capabilities and an intricate understanding of targeted systems, cybersecurity efforts must remain vigilant and proactive in safeguarding against such sophisticated threats.
Source: Mandiant, CVE, VMWare KB
0 comments:
Post a Comment