Chinese hackers have been quietly weaponizing VMware’s Zero-Day flaw for two years

Chinese Hackers

A sophisticated cyber espionage group from China previously linked to exploiting security flaws in VMware and Fortinet devices has been zero-day linked to exploiting a critical vulnerability in VMware vCenter Server since late 2021.

“UNC3886 has a track record of using zero-day vulnerabilities to complete their mission without being detected, and this latest example further demonstrates their capabilities,” said Google-owned Mandiant. said in a Friday report.

The vulnerability in question is CVE-2023-34048 (CVSS score: 9.8), a writing outside the boundaries that could be used by a malicious actor with network access to vCenter Server. It was resolved by Broadcom’s company on October 24, 2023.

The virtualization services provider announced earlier this week has updated its advice to acknowledge that “exploitation of CVE-2023-34048 has occurred in the wild.”

UNC3886 first came to light in September 2022 when it was found that it exploited previously unknown security flaws in VMware to compromise Windows and Linux systems, deploying malware families such as VIRTUALPITA and VIRTUALPIE.

Mandiant’s latest findings reveal that the nation-state actor’s zero-day weapon targeting VMware is none other than CVE-2023-34048, allowing it to gain privileged access to the vCenter system and all ESXi hosts and can list their respective guests. virtual machines associated with the system.

The next phase of the attack involves retrieving plaintext ‘vpxuser’ credentials for the hosts and connecting to them to install the VIRTUALPITA and VIRTUALPIE malware, allowing the adversary to connect directly to the hosts.

This ultimately allows the exploitation of another VMware flaw (CVE-2023-20867, CVSS score: 3.9), to execute arbitrary commands and transfer files to and from guest VMs from a compromised ESXi host, as revealed by Mandiant in June 2023.

VMware vCenter Server users are recommended to update to the latest version to mitigate potential threats.

In recent years, UNC3886 has also exploited CVE-2022-41328 (CVSS score: 6.5), a path traversal flaw in Fortinet FortiOS software, to leverage THINCRUST and CASTLETAP implants to perform arbitrary receiving commands from a remote server and exfiltrating sensitive data.

These attacks specifically target firewall and virtualization technologies due to the fact that they do not support endpoint detection and response (EDR) solutions, so they can persist within the target environment for extended periods of time.

#Chinese #hackers #quietly #weaponizing #VMwares #ZeroDay #flaw #years

Notify of
Inline Feedbacks
View all comments
Previous Post
Apache ActiveMQ flaw exploited in new Godzilla Web Shell attacks

Apache ActiveMQ flaw exploited in new Godzilla Web Shell attacks

Next Post
Russia-Linked APT Attack

The emails of Microsoft’s top executives have been breached in a sophisticated Russia-linked APT attack

Related Posts