A VMware security vulnerability has been exploited by Chinese cyberspies since late 2021, according to Mandiant, in what has been a busy week for nation-state espionage news.
On Friday VMware confirmed CVE-2023-34048, a critical out-of-bounds write flaw in vCenter Server, was under active exploitation.
The bug, which received a 9.8-out-of-10 CVSS severity rating, was disclosed and patched in October.
It can be abused to hijack a vulnerable server, if it can be reached over the internet or a network by miscreants.
VMware did not respond to The Register's inquires about the scale of the years-long exploitation nor who was behind the attacks.
This same team has targeted VMware products in the past to snoop on targets.
These inboxes included those belonging to the leadership team, cybersecurity and legal employees, and others.
The criminals exfiltrated not only emails but their attached documents, too.
The Russian gang was apparently snooping through email accounts looking for information about themselves, we're told.
We will act immediately to apply our current security standards to Microsoft-owned legacy systems and internal business processes, even when these changes might cause disruption to existing business processes.
This will likely cause some level of disruption while we adapt to this new reality, but this is a necessary step, and only the first of several we will be taking to embrace this philosophy.
In June 2023, VMware fixed an authentication bypass vulnerability in VMware Tools that affected ESXi hypervisors - but not before UNC3886 had found and exploited the hole.
This PRC-linked gang also targeted VMware hypervisors to carry out espionage in 2022.
According to Mandiant, UNC3886 last year abused a critical Fortinet bug to deploy custom malware to steal credentials and maintain network access via compromised devices.
Mandiant is attributing intrusions via the vCenter Server hole to Beijing's spies after spotting similarities between those attacks and the ones against VMware Tools in June 2023.
In reviewing VMware crash logs, the network defenders noticed the vmdird service dying shortly before intruders deployed backdoors on a victim's systems.
The code would fail in the same way, whether it was vSphere or VMware Tools being exploited, leading Mandiant to believe it's the same group behind the attacks, based on the modus operandi.
The threat hunters said fewer than 10 known organizations were compromised via the vSphere hole, though declined to say which industries the snoops were targeting in these attacks.
Ivanti disclosed, and issued mitigations for two zero-days, on January 10, and since then security researchers have warned that at least 1,700 devices have been compromised via the bugs, likely by Chinese nation-state attackers.
In a call with reporters on Friday, CISA Executive Assistant Director Eric Goldstein said about 15 federal agencies had the flawed Ivanti VPN servers in use, though noted they have already apparently applied the mitigations.
This Cyber News was published on go.theregister.com. Publication date: Sat, 20 Jan 2024 00:43:04 +0000