Rewterz Threat Update –China-Linked UNC3886 Stealthily Weaponized Highly-Severe VMware Zero-Day Vulnerability for 2 Years

Severity

High

Analysis Summary

UNC3886, a sophisticated Chinese cyber espionage group, has been linked to the exploitation of a critical VMware vCenter Server flaw as a zero-day since at least 2021. The group has been previously attributed to the weaponization of zero-day vulnerabilities in VMware and Fortinet products to achieve their goals undetected.

The vulnerability being exploited is CVE-2023-34048 (CVSS score: 9.8), which is an out-of-bounds write that could be leveraged by an attacker with network access to vCenter Server to conduct remote code execution. A patch was released for the flaw on October 24, 2023. However, the company updated its advisory recently to warn about the exploitation of CVE-2023-34048 in the wild.

UNC3886 was first seen in September 2022 when it was discovered to be taking advantage of zero-day vulnerabilities present in VMware to backdoor Linux and Windows systems, ending with the deployment of malware families such as VIRTUALPIE and VIRTUALPITA.

The findings of the security researchers show that the zero-day used by the threat group targeting VMware was CVE-2023-34048 which allowed it to get privileged access to the vCenter system and enumerate all ESXi hosts as well as their respective guest virtual machines that are attached to the system. In the next phase, the threat actors try to retrieve cleartext “vpxuser” credentials for the host machines and develop a connection to them for installing VIRTUALPITA and VIRTUALPIE malware, hence enabling the attackers to connect to the hosts directly. In the end, another VMware vulnerability tracked as CVE-2023-20867 is exploited to execute arbitrary commands and transfer files between guest VMs from a compromised ESXi host.

UNC3886 has also leveraged CVE-2022-41328, which is a path traversal vulnerability in Fortinet FortiOS software, to deliver THINCRUST and CASTLETAP malware implants that allow the execution of arbitrary commands retrieved from an actor-controlled remote server and exfiltrate sensation information.

It shows that attackers are specifically singling out firewall and virtualization technologies lately since they don’t support endpoint detection and response (EDR) products which allows the malicious actors to persist in the victim environments for a long time. VMware and vCenter Server users are urged to update to the latest version immediately to mitigate potential threats.

Impact

• Cyber Espionage
• Credential Theft
• Code Execution

Affected Vendor

• VMware

Affected Product

• VMware vCenter Server 7.0
• VMware vCenter Server 8.0
• VMware Cloud Foundation (vCenter Server) 4.0
• VMware Cloud Foundation (vCenter Server) 5.0

Remediation

• Refer to VMware Security Advisory for patch, upgrade, or suggested workaround information.
• Implement a robust vulnerability management program to regularly scan and identify any potential vulnerabilities in your virtualization environment. Prioritize patching and remediation based on criticality and impact.
• Implement network segmentation to isolate critical systems, such as ESXi hosts, from other less critical systems. This can help contain the impact of a potential compromise and limit lateral movement within the network.
• Follow the principle of least privilege for user accounts and ensure that only authorized personnel have administrative access to ESXi hosts. Regularly review and revoke unnecessary privileges to minimize the attack surface.
• Deploy robust security monitoring and intrusion detection systems to detect any suspicious activities or indicators of compromise. Implement real-time log analysis and alerting mechanisms to identify potential unauthorized access attempts.
• Educate users and system administrators about the latest threats, phishing techniques, and social engineering tactics employed by APT groups. Encourage a culture of security awareness and promote safe computing practices.
• Conduct periodic security audits and assessments of your virtualization infrastructure to identify any misconfigurations or vulnerabilities. Engage third-party security experts if necessary to perform thorough assessments.
• Continuously monitor the security posture of your virtualization environment, including ESXi hosts and virtual machines. Implement hardening measures recommended by VMware and security best practices to minimize the attack surface and strengthen defenses.