Chinese Spies Exploited Critical VMware Bug for Nearly 2 Years

  /     /     /  
Publicated : 23/11/2024   Category : security


Chinese Spies Exploited Critical VMware Bug for Nearly 2 Years


Even the most careful VMware customers may need to go back and double check that they werent compromised by a zero-day exploit for CVE-2023-34048.



One of the most serious VMware vulnerabilities in recent memory was secretly being exploited by a Chinese advanced persistent threat (APT) for years before a patch became available.
It was all-hands-on-deck in October
when news first broke of
CVE-2023-34048
, a 9.8 out of 10 critical CVSS-rated out-of-bounds write vulnerability affecting vCenter Server, VMwares centralized platform for managing virtual environments. In a sign of just how severe this particular issue was, VMware went so far as to extend patches for end-of-life versions of the product, as well.
In at least some cases, though, all that effort might have been too little, too late. In
a Jan. 19 blog post
, Mandiant revealed that a Chinese threat actor it tracks as UNC3886 was covertly exploiting CVE-2023-34048 as a zero-day since at least late 2021.
The exploitation of CVE-2023-34048 reflects a deep technical acumen, indicating a high level of proficiency in identifying and leveraging complex vulnerabilities within widely used software like VMware, says Callie Guenther, senior manager of cyber threat research at Critical Start.
UNC3886, which Mandiant describes as a China-nexus espionage group, is exactly the threat actor to pull off this kind of trick. Though relatively little is known of it, it has been outed for
targeting VMware environments
before.
Last year for example, Mandiant pieced together that the actor had been exploiting a different VMware zero-day:
CVE-2023-20867
. This was a less serious (CVSS 3.9 out of 10, low severity) authentication issue in VMware Tools, a set of tools for enhancing performance in guest virtual machines (VMs).
A crucial missing piece at the time was how UNC3886 was obtaining full compromise over ESXi hosts — a necessary prerequisite for taking advantage of this flaw.
That answer lay in the VMware services crash logs. There, analysts discovered that the VMware Directory Service (VMDIRD) reliably crashed just minutes before the group deployed its backdoors, VirtualPita and VirtualPie. These crashes were associated with the exploitation of CVE-2023-34048.
It appears that this first stage of the exploit chain is what afforded the attackers remote code-execution (RCE) capabilities in its targets environments, whereupon theyd steal credentials, and use them to compromise ESXi hosts connected to compromised vCenter server. Then came the backdoors, then the CVE-2023-20867 exploit.
The canary crashes were observed across multiple UNC3886 attacks between late 2021 and early 2022.
The long-term strategy employed by UNC3886 in exploiting vulnerabilities aligns with the broader modus operandi of Chinese state-sponsored cyber activities, Guenther notes. Chinas cyber espionage efforts are often characterized by strategic patience, persistence, and a focus on long-term intelligence gathering. This approach is indicative of their wider geopolitical and economic objectives, where sustained cyber operations support broader state goals. In this context, UNC3886s activities fit neatly into the larger narrative of Chinas systematic and methodical approach to cyber espionage and intelligence.
Organizations that patched back in October may now need to double check their work to make sure they werent compromised in the zero-day period.
And despite the hubbub made over CVE-2023-34048, and VMwares efforts to patch as many devices as possible, its plausible that numerous organizations may still be running unpatched or outdated versions, Guenther thinks.
This could be due to a range of factors including lack of resources, complexities in the IT infrastructure, compatibility issues, or simply oversight in patch management processes, she says, adding that organizations often face challenges in rapidly deploying patches, especially in large or complex environments, leading to windows of vulnerability that threat actors like UNC3886 can exploit.
Those still at risk can find remediation information in
VMwares original security advisory
from October.

Last News

▸ Security Problem Growing for Dairy Queen, UPS & Retailers, Back off ◂
Discovered: 23/12/2024
Category: security

▸ Veritabile Defecte de Proiectare a Securitatii in Software -> Top 10 Software Security Design Flaws ◂
Discovered: 23/12/2024
Category: security

▸ Sony, XBox Targeted by DDoS Attacks, Hacktivist Threats ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Chinese Spies Exploited Critical VMware Bug for Nearly 2 Years