Chinese Hackers Employ VMware Zero-Day Without Detection

UNC3886, a sophisticated cyber espionage group with alleged ties to China, has been identified as exploiting a critical zero-day vulnerability in VMware vCenter Server since late 2021. The group, known for its advanced tactics and techniques, has a history of leveraging zero-day vulnerabilities to carry out its operations discreetly. The specific vulnerability in question is CVE-2023-34048, which scored 9.8 on the CVSS scale and allowed for an out-of-bounds write, potentially leading to remote code execution. VMware addressed this vulnerability with a patch released on October 24, 2023.

Mandiant, a cybersecurity company owned by Google, highlighted UNC3886’s utilization of zero-days in a recent report, stating that the group has demonstrated a consistent ability to operate undetected while exploiting undisclosed vulnerabilities. The exploitation of CVE-2023-34048, which Mandiant attributes to UNC3886, showcases the group’s proficiency in offensive cyber capabilities.

The cyber threat landscape has witnessed UNC3886’s activities before, notably in September 2022, when the group exploited previously unknown security flaws in VMware to compromise Windows and Linux systems. During these operations, UNC3886 deployed malware families such as VIRTUALPITA and VIRTUALPIE, showcasing its capabilities in orchestrating sophisticated cyber campaigns.

The latest findings from Mandiant reveal that the zero-day exploited by UNC3886 to target VMware was CVE-2023-34048. This vulnerability provided the group with the means to gain privileged access to vCenter systems, enabling them to enumerate all ESXi hosts and associated guest virtual machines. The subsequent phases of the attack involved retrieving credentials, connecting to hosts, and installing malware, further establishing UNC3886’s presence within the compromised environment.

The use of zero-days is a notable characteristic of UNC3886’s operations, emphasizing the challenges posed by advanced threat actors and their ability to exploit undisclosed vulnerabilities. Mandiant’s report underscores the importance of prompt updates and patches to mitigate the risks associated with such vulnerabilities. VMware vCenter Server users are strongly advised to update to the latest version to safeguard against potential threats linked to UNC3886’s cyber activities.

This incident adds to the growing concerns surrounding nation-state-sponsored cyber threats and highlights the continuous efforts required to defend against advanced and persistent adversaries in the ever-evolving cybersecurity landscape.