Security News > 2023 > June > Chinese Hackers Exploit VMware Zero-Day to Backdoor Windows and Linux Systems

Chinese Hackers Exploit VMware Zero-Day to Backdoor Windows and Linux Systems
2023-06-14 16:46

The Chinese state-sponsored group known as UNC3886 has been found to exploit a zero-day flaw in VMware ESXi hosts to backdoor Windows and Linux systems.

The VMware Tools authentication bypass vulnerability, tracked as CVE-2023-20867, "Enabled the execution of privileged commands across Windows, Linux, and PhotonOS guest VMs without authentication of guest credentials from a compromised ESXi host and no default logging on guest VMs," Mandiant said.

UNC3886 was initially documented by the Google-owned threat intelligence firm in September 2022 as a cyber espionage actor infecting VMware ESXi and vCenter servers with backdoors named VIRTUALPITA and VIRTUALPIE. Earlier this March, the group was linked to the exploitation of a now-patched medium-severity security flaw in the Fortinet FortiOS operating system to deploy implants on the network appliances and interact with the aforementioned malware.

As part of its efforts to exploit ESXi systems, the threat actor has also been observed harvesting credentials from vCenter servers as well as abusing CVE-2023-20867 to execute commands and transfer files to and from guest VMs from a compromised ESXi host.

A notable aspect of UNC3886's tradecraft is its use of Virtual Machine Communication Interface sockets for lateral movement and continued persistence, thereby allowing it to establish a covert channel between the ESXi host and its guest VMs. UPCOMING WEBINAR. Mastering API Security: Understanding Your True Attack Surface.

"This open communication channel between guest and host, where either role can act as client or server, has enabled a new means of persistence to regain access on a backdoored ESXi host as long as a backdoor is deployed and the attacker gains initial access to any guest machine," the company said.


News URL

https://thehackernews.com/2023/06/chinese-hackers-exploit-vmware-zero-day.html

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2023-06-13 CVE-2023-20867 Improper Authentication vulnerability in multiple products
A fully compromised ESXi host can force VMware Tools to fail to authenticate host-to-guest operations, impacting the confidentiality and integrity of the guest virtual machine.
local
high complexity
vmware debian fedoraproject CWE-287
3.9

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Linux 11 64 2532 1569 67 4232
Vmware 146 11 222 256 102 591