In Late 2023, UNC3886, a highly advanced Chinese nexus espionage group, was found to be exploiting VMware vCenter systems using the vulnerability CVE-2023-34048. This threat actor is known for exploiting systems that cannot install EDR (Endpoint Detection and Response) on them.
There were also instances where the threat actor used zero-day vulnerabilities to infiltrate systems, go completely undetected, and perform several malicious activities.
Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month. Delays in fixing these vulnerabilities lead to compliance issues, these delay can be minimized with a unique feature on AppTrana that helps you to get “Zero vulnerability report” within 72 hours.
Backdoor via VMware ESXi Zero-day
According to the reports shared with Cyber Security News, the threat activity was observed along with the discovery of CVE-2023-20867, which was associated with an authentication bypass vulnerability that can allow a threat actor to make VMware tools stop authentication from host-to-guest operations.
Initially, the threat actors utilized the CVE-2023-34048 vulnerability to deploy a backdoor in VMware vCenter systems, before which the “vmdird” service crashed. CVE-2023-34048 is related to an out-of-bounds write vulnerability that can be used to execute unauthenticated remote commands on vulnerable systems.
The vulnerability was patched in October 2023, but several cases of UNC3886 activity on organizations between late 2021 and early 2022 contributed to nearly one and a half years of unnoticed exploitation. Moreover, in certain cases, the “vmdird” core dumps were removed by the threat actors to cover their tracks.
Attack Vector
The attack path of the threat actor started with exploiting CVE-2023-34048 to deploy a backdoor, followed by retrieving vpxuser credentials for all ESXi hosts and enumeration of all the ESXi hosts along with their respective guest VMs attached to the vCenter server.
Eventually, the threat actor connected with ESXi hosts from the vCenter server with compromised credentials and deployed two other backdoors, VIRTUALPITA and VIRTUALPIE, on the ESXi hosts. After this, the threat actor can directly connect to the ESXi hosts through the deployed backdoors.
Then, the threat actor continued to exploit CVE-2023-20867 on ESXi hosts for unauthenticated remote command executions and file transfers into the guest VMs. Proceeding further, the threat actor has now established complete network command and control.
According to the advisory released by VMware, the vulnerability in question has been fixed in the latest version of vCenter, which is 8.0U2.
It is recommended for organizations to upgrade to the latest version of these products to prevent these kinds of exploitation by threat actors.
Try Kelltron’s cost-effective penetration testing services to evaluate digital systems security. Free demo available.