The Chinese state-sponsored group is known as UNC3886 has been found to exploit zero-day flaws in VMware ESXi hosts to backdoor Windows and Linux systems.
VMware Tools authentication bypass vulnerability, tracked as CVE-2023-20867 (CVSS score: 3.9), “enabled privileged command execution in Windows, Linux, and PhotonOS (vCenter) guest VMs with no authentication of guest credentials from compromised ESXi hosts and no default logs on guest VMs,” Mandiant said.
UNC3886 was originally documented by Google’s threat intelligence firm in September 2022 as a cyber espionage perpetrator who infected VMware ESXi and vCenter servers with backdoors named VIRTUALPITA and VIRTUALPIE.
Earlier this March, the group was linked to exploiting a medium-severity security flaw that has now been patched in the Fortinet FortiOS operating system to implant network equipment and interact with the aforementioned malware.
Threat actors have been described as a “highly adept” collective of adversaries targeting defense, technology and telecommunications organizations in the US, Japan and the Asia-Pacific region.
“The group has access to extensive research and support to understand the underlying technologies of the targeted equipment,” said researcher Mandiant, citing a pattern of weaponization weaknesses in firewall and virtualization software that do not support EDR solutions.
As part of its attempts to exploit ESXi systems, threat actors have also been observed seizing credentials from vCenter servers as well as abusing CVE-2023-20867 to execute commands and transfer files to and from guest VMs of compromised ESXi hosts.
An important aspect of the UNC3886’s expertise is the use of the Virtual Machine Communication Interface (VMCI) socket for lateral movement and continuous persistence, allowing it to establish a secret channel between the ESXi host and its guest VMs.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards tight security. Join our insightful webinar!
“This open channel of communication between the guest and the host, where either role can act as client or server, has enabled a new way to regain access on an ESXi backdoor host as long as the backdoor is deployed and the attacker gains initial access to any guest machine,” the company said.
The development comes as the Sina Kheirkhah Summoning Team researchers disclosed three distinct flaws in VMware Aria Operations for Networks (CVE-2023-20887, CVE-2023-20888, and CVE-2023-20889) that could result in remote code execution.
“UNC3886 continues to present a challenge to investigators by disabling and crashing logging services, selectively deleting log events related to their activity,” he further added. “Retroactive purges of threat actors carried out within days of their previous public disclosure of their activities show how vigilant they are.”