Security News > 2024 > January > Chinese hackers exploit VMware bug as zero-day for two years
![Chinese hackers exploit VMware bug as zero-day for two years](/static/build/img/news/chinese-hackers-exploit-vmware-bug-as-zero-day-for-two-years-medium.jpg)
A Chinese hacking group has been exploiting a critical vCenter Server vulnerability as a zero-day since at least late 2021.
In the next stage, they exploited the CVE-2023-20867 VMware Tools authentication bypass flaw to escalate privileges, harvest files, and exfiltrate them from guest VMs. While, until now, Mandiant didn't know how the attackers gained privileged access to victims' vCenter servers, the link was made evident in late 2023 by a VMware vmdird service crash minutes before the backdoors' deployment closely matching CVE-2023-34048 exploitation.
The Chinese cyberspies' favorite targets are zero-day security flaws in firewall and virtualization platforms that don't have Endpoint Detection and Response capabilities that would make it easier to detect and block their attacks.
"The exploit requires a deep understanding of FortiOS and the underlying hardware. Custom implants show that the actor has advanced capabilities, including reverse-engineering various parts of FortiOS.".
VMware confirms critical vCenter flaw now exploited in attacks.
Barracuda fixes new ESG zero-day exploited by Chinese hackers.
News URL
Related news
- Chinese Hackers Exploiting Cisco Switches Zero-Day to Deliver Malware (source)
- Hackers Exploit Legitimate Packer Software to Spread Malware Undetected (source)
- Hackers exploit 2018 ThinkPHP flaws to install ‘Dama’ web shells (source)
- Chinese hackers breached 20,000 FortiGate systems worldwide (source)
- China-Backed Hackers Exploit Fortinet Flaw, Infecting 20,000 Systems Globally (source)
- 20,000 FortiGate appliances compromised by Chinese hackers (source)
- Hackers Exploit Legitimate Websites to Deliver BadSpace Windows Backdoor (source)
- UNC3886 hackers use Linux rootkits to hide on VMware ESXi VMs (source)
- Chinese Hackers Deploy SpiceRAT and SugarGh0st in Global Espionage Campaign (source)
- Zero-Day Exploits Cheat Sheet: Definition, Examples & How It Works (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2023-10-25 | CVE-2023-34048 | Out-of-bounds Write vulnerability in VMWare Vcenter Server vCenter Server contains an out-of-bounds write vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger an out-of-bounds write potentially leading to remote code execution. | 9.8 |
2023-06-13 | CVE-2023-20867 | Improper Authentication vulnerability in multiple products A fully compromised ESXi host can force VMware Tools to fail to authenticate host-to-guest operations, impacting the confidentiality and integrity of the guest virtual machine. | 3.9 |