In October, VMware mounted a crucial distant code execution vulnerability in its vCenter Server (CVE-2023-34048) and Cloud Basis enterprise merchandise which are used to handle digital machines throughout hybrid clouds. It has now come to mild {that a} Chinese language cyberespionage group had been exploiting the vulnerability for 1.5 years earlier than the patch grew to become obtainable.
“These findings stem from Mandiant’s continued analysis of the novel assault paths utilized by UNC3886, which traditionally focuses on applied sciences which are unable to have EDR deployed to them,” researchers from safety agency Mandiant mentioned in a report late final week. “UNC3886 has a observe file of using zero-day vulnerabilities to finish their mission with out being detected, and this newest instance additional demonstrates their capabilities.”
Suspicious VMware log entries date again to 2021
In June 2023, Mandiant documented how the Chinese language group it tracks as UNC3886 exploited a zero-day authentication bypass vulnerability in VMware Instruments (CVE-2023-20867) to deploy backdoors inside visitor VMs from compromised ESXi hosts. That assault move described by Mandiant began with hackers first having access to vCenter servers after which utilizing recognized methods to extract cleartext credentials for the vpxuser account for all ESXi hosts hooked up to the server. This allowed them to entry these hosts and exploit CVE-2023-20867 to deploy malware.
Nevertheless, the password for vpxuser — an account created on ESXi hosts mechanically when related to a vCenter server — is encrypted by default. On a completely patched vCenter system, cracking the passwords requires root entry. So, how did attackers achieve root entry to vCenter servers within the first place? By exploiting the CVE-2023-34048 vulnerability that was later patched in October 2023.
Mandiant’s forensic analysts discovered a commonality on compromised vCenter programs the place the crash logs situated in /var/log/vMonCoredumper.log confirmed the “vmdird” service crashing minutes previous to attackers deploying their malware. After sharing this statement with VMware’s product safety workforce together with reminiscence core dumps of the crashed vmdird course of, the conclusion was reached that the crashes are carefully aligned with the habits noticed throughout CVE-2023-34048 exploitation.
The CVE-2023-34048 flaw is an out-of-bounds write within the implementation of the DCERPC protocol that results in a crash and arbitrary code execution. The flaw could be exploited remotely over the community.
