Summary:
A new blog post by Mandiant shines light on a campaign where UNC3886, a China-nexus espionage group, has been observed exploiting a zero-day in vCenter server since 2021. The vulnerability in question is being tracked as CVE-2023-34048 and relates to an out-of-bounds write bug that can be exploited by actors to gain remote code execution on targeted systems.

In the attacks spotted by Mandiant, the actors were observed exploiting the flaw to deploy a backdoor on the vCenter system. From here, cleartext vpxuser credentials for ESXI hosts attached to the server were targeted, enabling the actors to connect to the hosts using the compromised credentials. Researchers say the hackers then deployed Virtualpita and Virtualpie malware via VIB installations on the the ESXi hosts to enable direct backdoor access. Taking it a step further, the actors proceeded to exploit another vulnerability (CVE-2023-20867) on the EXSI hosts to execute commands without authentication and transfer files to and from guest virtual machines.

Security Officer Comments:
CVE-2023-34048 was patched in October 2023 meaning that UNC3886 had access to this flaw as a zero day for a good two years. With the motive of this campaign being cyber espionage, the actors went after the VMware directory service, which stores and manages information about users and resources. In this case, Mandiant notes that the actors removed the directory core dumps in an attempt to cover up their traces.

Suggested Corrections:
Both of the flaws (CVE-2023-34048 and CVE-2023-20867) exploited in the attack chain mentioned above have been patched. Users should ensure that they are running the latest version of vCenter to avoid potential exploitation attempts as seen in the wild.

Link(s):
https://www.mandiant.com/resources/blog/chinese-vmware-exploitation-since-2021