A Chinese hacker group has been exploiting a zero-day in the vCenter Server since at least late 2021. The hackers managed to deploy backdoors on ESXi hosts through the vulnerability and leak data from organisations in critical sectors.
Mandiant revealed that the perpetrator behind the cyber campaign is UNC3886, a Chinese spy group. The attackers were identified by Mandiant back in June 2023, but researchers have now uncovered the inner workings of the group, dating back to late 2021.
Blind spot for EDR
UNC3886, according to Mandiant, mainly targets technologies for which EDR tools cannot be used. Hypervisor security is more complex than endpoint protection. According to VMware, antivirus software is unnecessary for its ESXi hypervisor infrastructure. Normally, a firewall should ensure malicious parties cannot infiltrate through ESXi. However, CrowdStrike cited in May 2023 that this hypervisor is “highly attractive” to cybercriminals. Poor security hygiene leads to legacy instances and unpatched products at numerous organisations, allowing for actors such as UNC3886 to exploit long-standing vulnerabilities.
Together, vCenter Server and ESXi make up vSphere. Vulnerabilities in both components contributed to the Chinese hackers’ infiltration method. Previously, Mandiant did not know that the attackers had gained privileged access to vCenter servers.
Method of attack
The hackers first managed to exploit CVE-2023-34048. A flaw in vCenter Server allows a malicious party with network access to execute an out-of-bounds write, resulting in remote code execution.
First, the attackers exploited CVE-2023-34048 to create a backdoor to vCenter System. In doing so, they used manipulated vSphere Installation Bundles, which are intended to create custom ESXi images. They then stole credentials, identified all ESXi hosts and connected to compromised hosts.
Backdoors under the names “VirtualPita” and “VirtualPie” enabled persistent access. The direct connection that followed put the hackers in a position to exploit CVE-2023-20867. Although this vulnerability has a relatively mild CVE score (3.9), there is a significant danger within this context. Unauthenticated command execution and file transfers enabled data breaches.
Tip: When is a critical vulnerability actually dangerous?
Critical targets
UNC3886’s targets are typically U.S. and East Asian companies in the technology, telco and defense sectors, in addition to government agencies. On several occasions, the Chinese hackers managed to erase evidence of infiltration in data logs, making detection enormously difficult to confirm. Also, it is not known what data the group has captured in recent years.
The relevant vulnerabilities have since been patched (as of vCenter 8.0U2). Mandiant recommends that organizations update to the latest version to avoid exploits.
Also read: VMware kills off perpetual licenses, only subscriptions remain