A group of cybercriminals associated with China, known as UNC3886, has been secretly utilizing a critical Zero-day vulnerability in the VMware Vcelare Vcenter Server control system since the end of 2021, according to a recent report by Mandiant.
The vulnerability, designated as CVE-2023-34048 and scoring 9.8 on the CVSS scale, involves a recording error outside the selected block (out-of-bounds Write). This allows attackers with access to the Vcenter Server network to remotely execute code. Shortly after the vulnerability was discovered, Broadcom eliminated it on October 24, 2023.
This week, VMware updated its recommendations to address the consequences of this vulnerability, confirming that CVE-2023-34048 was indeed exploited under real conditions. Users are advised to follow VMware’s update instructions to mitigate potential risks.
UNC3886 first made headlines in September 2022 when it was found that the group used previously unknown vulnerabilities in VMware to introduce backdoors in Windows and Linux systems. The harmful software distributed by the group included VirtualPita and Virtualpie programs.
According to the latest data from Mandiant, the zero-day vulnerability exploited by the Chinese hackers of UNC3886 to target VMware was CVE-2023-34048. This allowed the attackers to gain privileged access to the Vcenter system, enabling them to list all ESXI hosts and connected virtual machines.
Furthermore, the attackers accessed the accounting data of the “VPXUSER” hosts in an open format and installed malware to establish direct connections to the hosts.
This sequence of actions also exposed another vulnerability, vmware-cve-2023-208667, with a CVSS rating of 3.9. This vulnerability allows for the execution of arbitrary commands and the transfer of files between compromised ESXI hosts and virtual machines. Mandiant reported this vulnerability in June 2023.
To minimize potential threats, users of VMware Vcenter Server are advised to update to the latest version.
In addition to CVE-2023-34048, UNC3886 has frequently exploited the vulnerability CVE-2022-41328, with a CVSS rating of 6.5, in the Fortinet Fortios software. This allows for the deployment of tools such as Thincrust and Castletap, enabling remote servers to execute arbitrary commands and access confidential data.
These attacks pose a particular threat to firewall and virtualization