Security researchers from Mandiant have identified a Chinese APT group exploiting a VMware ESXi zero-day vulnerability as part of a campaign tracked since September 2022.
The attacks, by a group Mandiant tagged as UNC3886, were first observed last year, with the company accusing UNC3886 of credential harvesting and backdoor deployment.
The attackers also try to block investigations by disabling logging on compromised systems.
Exploitation of the zero-day, CVE-2023-20867, was new, Mandiant said.
VMware’s advisory for the CVE rated it only as a low risk, because it can only be exploited by an attacker with a “fully compromised ESXi host” – that is, someone with root access to the server.
“A fully compromised ESXi host can force VMware Tools to fail to authenticate host-to-guest operations, impacting the confidentiality and integrity of the guest virtual machine,” VMware said, issuing VMware Tools 12.2.5 to fix the issue.
Describing UNC3886’s activity, Mandiant wrote that “the attacker utilised a zero-day vulnerability, CVE-2023-20867, to execute commands and transfer files to and from guest VMs from a compromised ESXi host without the need for guest credentials."
“Additionally, the use of CVE-2023-20867 does not generate an authentication log event on the guest VM when commands are executed from the ESXi host," it wrote.
UNC3886’s long campaign of credential harvesting rested on a 2022 vulnerability, CVE-2022-22948.
Discovered by Pentera researcher Yuval Lazar, CVE-2022-22848 was a privilege escalation bug that let attackers harvest vpxuser credentials stored on a vCenter server.
With those credentials in hand, the attackers performed host and guest machine enumeration, and were able to manipulate the vCenter to ESXi firewall and install malicious software.
CVE-2023-20867 depended only on two conditions for exploitation: an attacker with privileged access to the ESXi host (credentials the attackers had obtained in their earlier campaign); and the target machine having VMware Tools installed.
Companies affected should look for the VirtualPita and VirtualGate backdoors, which UNC3886 installed on compromised systems to give them lateral movement and persistence.
