Chinese Espionage Group Has Exploited VMware Flaw Since 2021 – Source: securityboulevard.com

A Chinese espionage group spotted last year by Mandiant researchers abusing a flaw that affected VMware virtualization tools has been exploiting another zero-day vulnerability in VMware’s vCenter Server since at least late 2021, according to the Google-owned cybersecurity company.

VMware patched the bug, tracked as CVE-2023-34048, in October 2023, but Mandiant researchers Alexander Marvi, Shawn Chew, and Punsaen Boonyakarn wrote in a recent blog post that research into how backdoors were being deployed to vCenter systems revealed the use by the threat group, UNC3886, of vulnerability.

It’s the latest illustration of the ability of UNC3886 – which is known for targeting zero-days in firewall and virtualization technologies – to run attacks while evading detection by cybersecurity tools.

“These findings stem from Mandiant’s continued research of the novel attack paths used by UNC3886, which historically focuses on technologies that are unable to have EDR [endpoint detection and response] deployed to them,” the researchers wrote. “UNC3886 has a track record of utilizing zero-day vulnerabilities to complete their mission without being detected, and this latest example demonstrates their capabilities.”

The CVE-2023-34048 flaw – which has a critical severity rating of 9.8 out of 10 – is described as an “out-of-bounds write vulnerability” in VMware’s implementation of the DCE/RPC protocol, which allows developers to write distributed software as if all of it was working on the same computer without having to bother with the underlying network code.

In the wrong hands, a bad actor with access to vCenter Server can launch an out-of-bounds write that could lead to remote code execution (RCE).

vCenter is a key part of VMware’s larger cloud data center environments, operating as a centralized management tool for virtual machines and ESXi hosts and other components.

Continuing the Investigation

In July 2023, Mandiant wrote about its investigation into another zero-day flaw, CVE-2023-20867, that was being exploited by UNC3886 and allowed for hackers to execute privileged commands across Windows, Linux, and vCenter guest VMs without the need to authenticate guest credentials from a compromised ESXi host or default logging on guest VMs.

Marvi, Chew, and Boonyakarn this month wrote that they continued investigating the attack path used against vCenter, ESXi hypervisors, and guest VMs and found a similarity in impacted vCenter systems that show how the attackers were getting initial access into the vCenter systems.

They found entries in VMware server crash logs that showed the “vmdird” service crashing minutes before the attackers deployed the backdoors. The Mandiant researchers said an analysis by both them and VMware fond that the process crashing aligned with the exploitation of CVE-2023-34048.

“While publicly reported and patched in October 2023, Mandiant has observed these crashes across multiple UNC3886 cases between late 2021 and early 2022, leaving a window of roughly a year and a half that this attacker had access to this vulnerability,” they wrote. “Most environments where these crashes were observed had log entries preserved, but the ‘vmdird’ core dumps themselves were removed.”

By default, VMware’s configurations keep core dumps indefinitely on the system, which means that the attackers purposely removed the core dumps to cover their tracks.

When announcing the patches for the CVE-2023-34048 flaw in October, VMware said the vulnerability was so concerning that it also released patches for versions of vCenter Server that had reached end-of-life. The virtualization giant also noted there were no workarounds for the flaw.

In an update this month to the patching notice, VMware noted that as of January 18, there were reports of the bug being exploited in the wild.