Image: Yan Ke (unsplash)
The exploitation of a zero-day flaw in VMware ESXi hosts by UNC3886, a Chinese state-sponsored group, has been discovered, enabling them to backdoor into Windows and Linux systems.
The criticality of this authentication bypass vulnerability in VMware Tools, known as CVE-2023-20867 (with a CVSS score of 3.9), was highlighted by Mandiant as it allows the execution of privileged commands across multiple platforms such as Windows, Linux, and PhotonOS (vCenter) guest VMs without necessary guest credentials from a compromised ESXi host. It also doesn’t leave any default logging on guest VMs.
Google’s threat intelligence firm initially identified UNC3886 in September 2022, documenting it as a cyber espionage entity capable of infecting VMware ESXi and vCenter servers with backdoors named VIRTUALPITA and VIRTUALPIE.
During the previous March, an association between the group and the exploitation of a medium-severity security flaw, which was since patched, in the Fortinet FortiOS operating system emerged. This facilitated the deployment of implants on the network appliances and interaction with the previously mentioned malware.
UNC3886 has been characterized as an extraordinarily skillful adversarial collective, mainly focusing on defense, technology, and telecommunication organizations within the U.S., Japan, and the Asia-Pacific region.
Mandiant researchers noted the group’s extensive research and technical support access that enables them to understand the nuances of the targeted appliances. They also emphasized the group’s tendency to weaponize flaws in firewall and virtualization software that lack EDR solutions.
The group’s exploitation strategy of ESXi systems includes credential harvesting from vCenter servers and misusing CVE-2023-20867 to execute commands and transfer files between guest VMs and a compromised ESXi host.
UNC3886’s modus operandi is characterized by the usage of Virtual Machine Communication Interface (VMCI) sockets for lateral movement and sustained persistence. This allows the group to create a covert channel between the ESXi host and its guest VMs.
The company pointed out this communication channel, where either guest or host can take on the role of client or server, offers a new means of persistence to regain access on a backdoored ESXi host, provided a backdoor is in place and the attacker has initial access to any guest machine.
Simultaneously, Sina Kheirkhah, a researcher from the Summoning Team, has disclosed three different flaws in VMware Aria Operations for Networks (CVE-2023-20887, CVE-2023-20888, and CVE-2023-20889), which may potentially allow remote code execution.
Investigators face difficulties with UNC3886 as the group hampers and tampers with logging services, selectively deleting log events related to their activity. The group’s swift cleanup actions following public disclosures on their activity underscores their vigilance.