The state-sponsored Chinese hacking group, UNC3886, is exploiting a zero-day vulnerability (CVE-2023-20867) in VMware ESXi hosts to infiltrate Windows and Linux systems. The flaw allows the execution of privileged commands across guest virtual machines (VMs) without the requirement for guest credential authentication, according to cybersecurity firm Mandiant. The group uses this vulnerability to backdoor systems, deploying its VIRTUALPITA and VIRTUALPIE malware to VMware ESXi and vCenter servers. Previously, UNC3886 has also exploited a security flaw in the Fortinet FortiOS operating system.
The group targets organizations in defense, technology, and telecommunication sectors, particularly in the U.S., Japan, and the Asia-Pacific region. UNC3886’s capabilities include understanding and weaponizing flaws in firewall and virtualization software, extracting credentials from vCenter servers, and transferring files to/from guest VMs from compromised ESXi hosts.
An interesting feature of UNC3886’s technique is its use of Virtual Machine Communication Interface (VMCI) sockets for lateral movement and persistence, enabling it to set up a clandestine channel between the host and guest VMs. This provides them with a novel means of persistence on a backdoored host as long as the attacker can gain initial access to any guest machine. UNC3886’s vigilance is evident in its efforts to erase its traces by manipulating logging services and selectively eliminating related log events.
Source: The Hacker News
To mitigate potential threats, it is important to implement additional cybersecurity measures with the help of a trusted partner like INFRA www.infrascan.net or you can try your self using check.website.