Brother
Professional
- Messages
- 2,590
- Reaction score
- 506
- Points
- 83
A bug in VMware vCenter Server (CVE-2023-34048) is being actively exploited in the wild and not by mother hackers, but by the Chinese UNC3886, which has been exploiting the vulnerability since the end of 2021, while it was discovered and fixed only in October 2023.
Mandiant researchers showed that attackers used other attack paths and focused on technologies that are not protected by EDR.
UNC3886 has a history of using 0-days to accomplish its missions, as evidenced by the latest example of their ability to operate tactfully and without detection.
As reported by experts, before the deployment of the backdoor, there was a failure of the "vmdird" service, located in the VMware service failure logs, /var/log/vonCoreduper.log and in most environments where these failures were observed, the log entries were saved, but the core dumps themselves "vmdird" have been removed.
While VMware's default configurations store core dumps for an indefinite period on the system, it doesn't take a rocket scientist to figure out that the core dumps were deliberately deleted by an attacker in an attempt to cover their tracks.
Now paired with VMware and Mandiant recommends that users upgrade to the latest version of vCenter 8.0U2.
Mandiant researchers showed that attackers used other attack paths and focused on technologies that are not protected by EDR.
UNC3886 has a history of using 0-days to accomplish its missions, as evidenced by the latest example of their ability to operate tactfully and without detection.
As reported by experts, before the deployment of the backdoor, there was a failure of the "vmdird" service, located in the VMware service failure logs, /var/log/vonCoreduper.log and in most environments where these failures were observed, the log entries were saved, but the core dumps themselves "vmdird" have been removed.
While VMware's default configurations store core dumps for an indefinite period on the system, it doesn't take a rocket scientist to figure out that the core dumps were deliberately deleted by an attacker in an attempt to cover their tracks.
Now paired with VMware and Mandiant recommends that users upgrade to the latest version of vCenter 8.0U2.
