A Chinese espionage group spotted last year by Mandiant researchers abusing a flaw that affected VMware virtualization tools has been exploiting another zero-day vulnerability in VMware's vCenter Server since at least late 2021, according to the Google-owned cybersecurity company.
VMware patched the bug, tracked as CVE-2023-34048, in October 2023, but Mandiant researchers Alexander Marvi, Shawn Chew, and Punsaen Boonyakarn wrote in a recent blog post that research into how backdoors were being deployed to vCenter systems revealed the use by the threat group, UNC3886, of vulnerability.
It's the latest illustration of the ability of UNC3886 - which is known for targeting zero-days in firewall and virtualization technologies - to run attacks while evading detection by cybersecurity tools.
In the wrong hands, a bad actor with access to vCenter Server can launch an out-of-bounds write that could lead to remote code execution.
vCenter is a key part of VMware's larger cloud data center environments, operating as a centralized management tool for virtual machines and ESXi hosts and other components.
In July 2023, Mandiant wrote about its investigation into another zero-day flaw, CVE-2023-20867, that was being exploited by UNC3886 and allowed for hackers to execute privileged commands across Windows, Linux, and vCenter guest VMs without the need to authenticate guest credentials from a compromised ESXi host or default logging on guest VMs. Marvi, Chew, and Boonyakarn this month wrote that they continued investigating the attack path used against vCenter, ESXi hypervisors, and guest VMs and found a similarity in impacted vCenter systems that show how the attackers were getting initial access into the vCenter systems.
The Mandiant researchers said an analysis by both them and VMware fond that the process crashing aligned with the exploitation of CVE-2023-34048.
By default, VMware's configurations keep core dumps indefinitely on the system, which means that the attackers purposely removed the core dumps to cover their tracks.
When announcing the patches for the CVE-2023-34048 flaw in October, VMware said the vulnerability was so concerning that it also released patches for versions of vCenter Server that had reached end-of-life.
The virtualization giant also noted there were no workarounds for the flaw.
In an update this month to the patching notice, VMware noted that as of January 18, there were reports of the bug being exploited in the wild.
This Cyber News was published on securityboulevard.com. Publication date: Mon, 22 Jan 2024 17:13:04 +0000