The cybersecurity researcher firm has discovered a cyber espionage group known as UNC3886, which is believed to be sponsored by China, exploiting a zero-day vulnerability in VMware ESXi. The vulnerability, tracked as CVE-2023-20867, allowed the group to backdoor Windows and Linux virtual machines hosted on compromised ESXi hosts. The attackers leveraged a VMware Tools authentication bypass flaw to deploy VirtualPita and VirtualPie backdoors, gaining root privileges on the guest VMs. By using maliciously crafted vSphere Installation Bundles (VIBs), the group installed the backdoor malware on the ESXi hosts.
“A fully compromised ESXi host can force VMware Tools to fail to authenticate host-to-guest operations, impacting the confidentiality and integrity of the guest virtual machine,” according to VM security advisory.
During investigation, they also identified another malware strain called VirtualGate, which acted as a memory-only dropper on the hijacked VMs. This allowed the group to deobfuscate second-stage DLL payloads. Researchers noted that the communication channel between the guest and host machines provided a means of persistence for the attackers. It also highlighted the deep technical knowledge and understanding of ESXi, vCenter, and VMware’s virtualization platform demonstrated by UNC3886.
”The report reinforces UNC3886’s deep understanding and technical knowledge of ESXi, vCenter and VMware’s virtualization platform. UNC3886 continues to target devices and platforms that traditionally lack EDR solutions and make use of zero-day exploits on those platforms”
In a previous campaign in mid-2022, UNC3886 targeted FortiGate firewall devices using a zero-day vulnerability (CVE-2022-41328) and deployed Castletap and Thincrust backdoors. With access to the compromised Fortinet devices, the group gained persistence on FortiManager and FortiAnalyzer devices and later moved laterally through the victims’ network. The backdoored ESXi and vCenter machines were used to ensure stealthy operations.
UNC3886 primarily targets organizations in the defense, government, telecom, and technology sectors in the U.S. and APJ regions. Their choice of targets focuses on zero-day vulnerabilities in firewall and virtualization platforms lacking Endpoint Detection and Response (EDR) capabilities. The report highlighted the group’s advanced capabilities, custom implants, and extensive research capabilities, allowing them to understand and exploit complex technologies used by targeted appliances.
The attacks attributed to UNC3886 are highly targeted and suggest a focus on governmental or government-related entities. The group’s activities reflect an ongoing pattern of Chinese espionage, demonstrating sophisticated tradecraft that is challenging to detect. It is likely that there are additional victims who are unaware of the compromise. UNC3886 has successfully breached organizations with mature security programs in place, indicating the need for heightened vigilance and advanced security measures to counter their activities.