Chinese APT Group Caught Exploiting VMware ESXi Zero-Day
Mandiant says that a Chinese cyberespionage gang known as UNC3886 has been seen using a VMware ESXi zero-day vulnerability to get elevated rights on guest virtual machines.
Initially described in September 2022, UNC3886 has been installing backdoors on ESXi hypervisors to gain access to command execution, file manipulation, and reverse shell capabilities. It has been doing this by using malicious vSphere Installation Bundles (VIBs), which are typically used to maintain systems and deploy updates.
The group’s malicious activities would affect Windows virtual machines (VM), vCenter servers, and VMware ESXi hosts.
Cyberspies have been observed utilizing VMCI sockets to deploy backdoors for lateral movement and persistence, harvesting credentials from vCenter Server for all connected ESXi hosts, and changing and disabling logging services on compromised systems in recent assaults.
A zero-day vulnerability in VMware Tools has also been used by the gang to get around authentication and run privileged commands on Windows, Linux, and PhotonOS (vCenter) guest VMs.
The vulnerability, identified as CVE-2023-20867, has been given a “low severity” rating since it can only be exploited by an attacker with root access to the ESXi server.
A fully compromised ESXi host can force VMware Tools to fail to authenticate host-to-guest operations, impacting the confidentiality and integrity of the guest virtual machine.
VMware said
Mandiant claims that UNC3886 was observed employing scripts to enumerate all ESXi hosts and their guest VMs, change lists of authorized IPs across all connected ESXi hosts, and harvest credentials from compromised vCenter servers using the associated PostgreSQL database.
Our Readers ALSO READ
The cyberspies additionally employed installation scripts to distribute harmful VIBs to hosts and exploited CVE-2023-20867 to carry out untraced command execution and file transfers from the compromised ESXi host to and from the guest VMs.
Additionally, the use of CVE-2023-20867 does not generate an authentication log event on the guest VM when commands are executed from the ESXi host.
Mandiant
The cybersecurity company also noticed that the organization used VMCI sockets for lateral movement and sustained persistence when deploying two backdoors (VirtualPita and VirtualGate).
The malware gives the attackers a higher level of persistence (access to the affected ESXi host can be reclaimed by logging into a virtual machine), as well as the ability to go through network segmentation and security checks for open listening ports.
As a result of CVE-2023-20867, the attackers’ reclaimed access to the ESXi host enables them to carry out “unauthenticated actions with the highest privileged accounts across any virtual machine running underneath that ESXi host,” according to Mandiant .
If a vCenter exists as a virtual machine underneath the ESXi host, the attacker can proceed to harvest all connected vpxuser credentials for all ESXi hosts connected to the vCenter and continue to laterally pivot across the environment.
Mandiant
Defense, technology, and telecommunications organizations in the US and the Asia-Pacific area are the target of assaults by UNC3886, which take advantage of zero-day vulnerabilities in firewall and virtualization software.
