Brother
Professional
- Messages
- 2,590
- Reaction score
- 506
- Points
- 83
Chinese UNC3886 leaves no chance for privacy for VMware users.
A group of cybercriminals linked to China and known as UNC3886 secretly exploited a critical zero-day vulnerability in the management system of VMware vCenter Server from the end of 2021. This information was disclosed in a recent report by Mandiant.
The vulnerability, designated CVE-2023-34048 and rated 9.8 on the CVSS scale, is an Out - of-bounds Write error that allows an attacker with access to the vCenter Server network to execute code remotely. On October 24, 2023, shortly after the vulnerability was identified, it was fixed by Broadcom.
Earlier this week, VMware updated its recommendations for addressing the consequences of this vulnerability, where it confirmed that CVE-2023-34048 was exploited in real-world conditions.
UNC3886 first drew attention to its actions in September 2022, when it was discovered that the group was exploiting previously unknown vulnerabilities in VMware to introduce backdoors into Windows and Linux systems. Among the malicious software distributed were VirtualPita and VirtualPie programs.
The latest data from Mandiant shows that the zero-day vulnerability used by Chinese hackers UNC3886 to attack VMware was CVE-2023-34048. Exploitation allowed attackers to gain privileged access to the vCenter system, list all ESXi hosts and VMs connected to them.
Further, the attackers gained access to the "vpxuser" credentials of the hosts in clear text and connected to them to install malware, which allowed them to connect to the hosts directly.
This sequence of actions, in turn, opens the way for exploiting another VMware vulnerability-CVE-2023-20867 (CVSS score: 3.9), allowing you to execute arbitrary commands and transfer files between VMs and a compromised ESXi host. Mandiant reported this in June 2023.
Users of VMware vCenter Server are advised to update to the latest software version as soon as possible to minimize any potential threats.
In recent years, UNC3886 has also frequently exploited the CVE-2022-41328 vulnerability (CVSS score: 6.5) in Fortinet's FortiOS software to deploy THINCRUST and CASTLETAP tools that allow you to execute arbitrary commands from a remote server and exfiltrate sensitive data.
These attacks are particularly dangerous for firewall and virtualization technologies, as they often do not support EDR solutions, which allows attackers to stay in target environments for a long time.
A group of cybercriminals linked to China and known as UNC3886 secretly exploited a critical zero-day vulnerability in the management system of VMware vCenter Server from the end of 2021. This information was disclosed in a recent report by Mandiant.
The vulnerability, designated CVE-2023-34048 and rated 9.8 on the CVSS scale, is an Out - of-bounds Write error that allows an attacker with access to the vCenter Server network to execute code remotely. On October 24, 2023, shortly after the vulnerability was identified, it was fixed by Broadcom.
Earlier this week, VMware updated its recommendations for addressing the consequences of this vulnerability, where it confirmed that CVE-2023-34048 was exploited in real-world conditions.
UNC3886 first drew attention to its actions in September 2022, when it was discovered that the group was exploiting previously unknown vulnerabilities in VMware to introduce backdoors into Windows and Linux systems. Among the malicious software distributed were VirtualPita and VirtualPie programs.
The latest data from Mandiant shows that the zero-day vulnerability used by Chinese hackers UNC3886 to attack VMware was CVE-2023-34048. Exploitation allowed attackers to gain privileged access to the vCenter system, list all ESXi hosts and VMs connected to them.
Further, the attackers gained access to the "vpxuser" credentials of the hosts in clear text and connected to them to install malware, which allowed them to connect to the hosts directly.
This sequence of actions, in turn, opens the way for exploiting another VMware vulnerability-CVE-2023-20867 (CVSS score: 3.9), allowing you to execute arbitrary commands and transfer files between VMs and a compromised ESXi host. Mandiant reported this in June 2023.
Users of VMware vCenter Server are advised to update to the latest software version as soon as possible to minimize any potential threats.
In recent years, UNC3886 has also frequently exploited the CVE-2022-41328 vulnerability (CVSS score: 6.5) in Fortinet's FortiOS software to deploy THINCRUST and CASTLETAP tools that allow you to execute arbitrary commands from a remote server and exfiltrate sensitive data.
These attacks are particularly dangerous for firewall and virtualization technologies, as they often do not support EDR solutions, which allows attackers to stay in target environments for a long time.
