Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
September 22, 2023
Severity High Analysis Summary Ducktail Malware is a malicious program designed by hackers to infiltrate computers and networks globally. Ducktail malware is typically delivered through a […]September 22, 2023Severity Medium Analysis Summary First discovered in 2016, Revenge RAT is a remote access trojan (RAT) designed to give an attacker complete control over an infected […]September 22, 2023Severity High Analysis Summary The Konni APT (Advanced Persistent Threat) group is a cyber espionage group that has been active since at least 2014. It is […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
September 22, 2023Severity High Analysis Summary Ducktail Malware is a malicious program designed by hackers to infiltrate computers and networks globally. Ducktail malware is typically delivered through a […]September 22, 2023Severity Medium Analysis Summary First discovered in 2016, Revenge RAT is a remote access trojan (RAT) designed to give an attacker complete control over an infected […]September 22, 2023Severity High Analysis Summary The Konni APT (Advanced Persistent Threat) group is a cyber espionage group that has been active since at least 2014. It is […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat Advisory – CVE-2023-32017 – Microsoft Windows PostScript Printer Driver Vulnerability
June 14, 2023Rewterz Threat Advisory – CVE-2023-33145 – Microsoft Edge (Chromium-based) Vulnerability
June 15, 2023
Severity
High
Analysis Summary
The cybersecurity researcher firm has discovered a cyber espionage group known as UNC3886, which is believed to be sponsored by China, exploiting a zero-day vulnerability in VMware ESXi. The vulnerability, tracked as CVE-2023-20867, allowed the group to backdoor Windows and Linux virtual machines hosted on compromised ESXi hosts. The attackers leveraged a VMware Tools authentication bypass flaw to deploy VirtualPita and VirtualPie backdoors, gaining root privileges on the guest VMs. By using maliciously crafted vSphere Installation Bundles (VIBs), the group installed the backdoor malware on the ESXi hosts.
“A fully compromised ESXi host can force VMware Tools to fail to authenticate host-to-guest operations, impacting the confidentiality and integrity of the guest virtual machine,” according to VM security advisory.
During investigation, they also identified another malware strain called VirtualGate, which acted as a memory-only dropper on the hijacked VMs. This allowed the group to deobfuscate second-stage DLL payloads. Researchers noted that the communication channel between the guest and host machines provided a means of persistence for the attackers. It also highlighted the deep technical knowledge and understanding of ESXi, vCenter, and VMware’s virtualization platform demonstrated by UNC3886.
”The report reinforces UNC3886’s deep understanding and technical knowledge of ESXi, vCenter and VMware’s virtualization platform. UNC3886 continues to target devices and platforms that traditionally lack EDR solutions and make use of zero-day exploits on those platforms”
In a previous campaign in mid-2022, UNC3886 targeted FortiGate firewall devices using a zero-day vulnerability (CVE-2022-41328) and deployed Castletap and Thincrust backdoors. With access to the compromised Fortinet devices, the group gained persistence on FortiManager and FortiAnalyzer devices and later moved laterally through the victims’ network. The backdoored ESXi and vCenter machines were used to ensure stealthy operations.
UNC3886 primarily targets organizations in the defense, government, telecom, and technology sectors in the U.S. and APJ regions. Their choice of targets focuses on zero-day vulnerabilities in firewall and virtualization platforms lacking Endpoint Detection and Response (EDR) capabilities. The report highlighted the group’s advanced capabilities, custom implants, and extensive research capabilities, allowing them to understand and exploit complex technologies used by targeted appliances.
The attacks attributed to UNC3886 are highly targeted and suggest a focus on governmental or government-related entities. The group’s activities reflect an ongoing pattern of Chinese espionage, demonstrating sophisticated tradecraft that is challenging to detect. It is likely that there are additional victims who are unaware of the compromise. UNC3886 has successfully breached organizations with mature security programs in place, indicating the need for heightened vigilance and advanced security measures to counter their activities.
Impact
- Security Bypass
- Credentials Harvesting
Remediation
- Ensure that all VMware ESXi hosts are updated to the latest available patches and firmware versions. VMware has released a security advisory addressing the zero-day vulnerability, so promptly apply the provided patches.
- Implement a robust vulnerability management program to regularly scan and identify any potential vulnerabilities in your virtualization environment. Prioritize patching and remediation based on criticality and impact.
- Implement network segmentation to isolate critical systems, such as ESXi hosts, from other less critical systems. This can help contain the impact of a potential compromise and limit lateral movement within the network.
- Follow the principle of least privilege for user accounts and ensure that only authorized personnel have administrative access to ESXi hosts. Regularly review and revoke unnecessary privileges to minimize the attack surface.
- Deploy robust security monitoring and intrusion detection systems to detect any suspicious activities or indicators of compromise. Implement real-time log analysis and alerting mechanisms to identify potential unauthorized access attempts.
- Educate users and system administrators about the latest threats, phishing techniques, and social engineering tactics employed by APT groups. Encourage a culture of security awareness and promote safe computing practices.
- Conduct periodic security audits and assessments of your virtualization infrastructure to identify any misconfigurations or vulnerabilities. Engage third-party security experts if necessary to perform thorough assessments.
- Continuously monitor the security posture of your virtualization environment, including ESXi hosts and virtual machines. Implement hardening measures recommended by VMware and security best practices to minimize the attack surface and strengthen defenses.