Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Chinese hackers quietly exploited a VMware zero-day for two years

How to prevent cyberattacks.

Chinese state-sponsored hackers known as UNC3886 have been abusing a zero-day vulnerability in VMware and Fortinet devices for years, experts have revealed.

A report from Mandiant claims the group used the flaw to deploy malware, steal credentials, and ultimately exfiltrate sensitive data.

The flaw in question is tracked as CVE-2023-34048. It carries a severity score of 9.8/10 (critical), and is described as an out-of-bounds write flaw that allows remote code execution to attackers with access to vCenter Server. The patch was released in late October 2023. 

Regular VMware customers

"UNC3886 has a track record of utilizing zero-day vulnerabilities to complete their mission without being detected, and this latest example further demonstrates their capabilities," Mandiant explained in the report. With the help of CVE-2023-34048, UNC3886 was allowed to enumerate all ESXi hosts and guest virtual machines on a vulnerable system, and then pull cleartext “vpxuser” credentials for the hosts. The next step was to install VIRTUALPITA and VIRTUALPIE malware, which granted direct access to the compromised endpoints.

From that point, the attackers abused a separate flaw, CVE-2023-20867 (severity score 3.9), to run arbitrary commands and pull sensitive information from the devices. 

VMware urges vCenter Server users to apply the latest patch immediately.

The last time we heard of UNC3886 was in September 2022, when researchers spotted the group compromising VMware’s ESXi hypervisors to gain access to virtual machines and spy on businesses in the west. Back then, the group was observed installing two malicious programs on bare-metal hypervisors, using vSphere Installation Bundles - the same ones as in this attack. Furthermore, they discovered a unique malware/dropper dubbed VirtualGate.

Unlike this attack, in which a zero-day was being abused, in the previous incident the group simply used admin-level access to the ESXi hypervisors to install their tools.

Via TheHackerNews

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.