Chinese hackers exploited VMware’s zero-day vulnerability to conduct backdoor attacks on Windows and Linux systems

The Chinese hacking group UNC3886 hacked into Windows and Linux systems

UNC3886, China’s state-backed organization, was found to exploit a zero-day vulnerability in VMware ESXi hosts to set up a backdoor to hack into Windows and Linux systems. VMware Tools authentication bypass vulnerability tracked as CVE-2023-20867 (CVSS score: 3.9). According to Mandiant, the vulnerability “allows privileged commands to be executed on Windows, Linux, and PhotonOS (vCenter) guest VMs without validating client credentials from compromised ESXi hosts or setting default records on guest VMs.” UNC3886 was originally documented in September 2022 by Google-owned threat intelligence firm, a cyberespionage character who infected VMware ESXi and vCenter servers through a backdoor called VIRTUALPITA and VIRTUALPIE.

When and where hackers are discovered

Earlier in March, the UNC3886 group was found to have exploited a now-patched moderate security vulnerability in the Fortinet Fortinet FortiOS operating system to deploy implants on network devices and interact with the aforementioned malware. The threat actor has been described as a “highly skilled” group of adversaries that primarily targets defense, technology, and telecommunications organizations in the United States, Japan, and the Asia-Pacific region.

The attack does not support EDR firewall and virtualization software vulnerabilities

Mandiant researchers say the group has extensive research and support to understand the underlying technology of target devices, noting that they exploit vulnerabilities in
firewalls and virtualization software that do not support EDR solutions
. As part of exploiting ESXi systems, this threat has also been observed collecting credentials from vCenter servers and abusing CVE-2023-20867 to execute commands and transfer files between compromised ESXi hosts and guest VMs.

UNC3886 means of Chinese hackers

A notable feature of UNC3886 is that it uses the Virtual Machine Communication Interface (VMCI) socket for lateral movement and persistence, allowing it to establish a discreet channel between ESXi hosts and guest VMs. “This open communication channel created between the guest VM and the host, where either role can act as either client or server, provides a new persistent way to regain the backdoored ESXi host, as long as the backdoor is deployed and the attacker gains initial access to any guest VM,” the company said.

Meanwhile, Summoning Team researcher Sina Kheirkhah revealed three different vulnerabilities in VMware Aria Operations for Networks (CVE-2023-20887, CVE-2023-20888, and CVE-2023-20889) that could lead to remote code execution (RCE). ) attack. UNC3886 organizations continue to pose a challenge to security investigators by disabling and tampering with Log Service to selectively delete log events related to their activities.


Reference source: The Hacker News: