Table of Contents
Mandiant’s ongoing investigation into UNC3886, a Chinese cyber-espionage group, has revealed that the threat actors have been exploiting a zero-day authentication bypass flaw in VMware ESXi (ESXi Zero-Day).
This flaw allowed them to execute privileged commands on guest virtual machines (VMs) without the need for guest credentials.
Key Takeaways:
- A Chinese threat actor, UNC3886, exploited a zero-day authentication bypass flaw in VMware ESXi to execute privileged commands on guest VMs.
- The attack chain involved the deployment of backdoors, command routing, and file transfers, providing persistent access to ESXi hypervisors.
- UNC3886 utilized previously unseen techniques such as harvesting credentials and leveraging the VMCI socket for lateral movement and persistence.
Vulnerability Details and Severity Assessment of the ESXi Zero-Day
The zero-day vulnerability (CVE-2023-208670) resides in VMware Tools, a set of services and modules for enhanced management of guest operating systems.
Exploiting this flaw enabled the attackers to transfer files to and from Windows, Linux, and vCenter guest VMs using a compromised ESXi host.
VMware categorized the vulnerability as having medium severity, as the attacker must already possess root access over an ESXi host to exploit it.
UNC3886’s Sophisticated Attack Chain
Mandiant’s researchers discovered UNC3886’s usage of CVE-2023-208670 as part of a larger and more sophisticated attack chain.
In a previous report, UNC3886 was found to deploy backdoors called VirtualPITA and VirtualPIE on ESXi hypervisors using poisoned vSphere Installation Bundles (VIBs). These backdoors granted persistent administrative access to the hypervisor, enabling command routing between the hypervisor and guest VMs, as well as file transfers.
The actors also tampered with the hypervisor’s logging service and executed arbitrary commands among guest VMs.
Previously Unseen Techniques Uncovered
Mandiant’s ongoing investigation uncovered new techniques employed by UNC3886.
The threat actor harvested credentials for connected ESXi service accounts from vCenter Server appliances and leveraged CVE-2023-20867 to execute privileged commands across guest VMs.
Additionally, they used backdoors, including VirtualPITA and VirtualGATE, through the Virtual Machine Communication Interface (VMCI) socket for lateral movement and persistence.
This approach allowed direct reconnection to the compromised ESXi host’s backdoor, irrespective of network segmentation or firewall rules.
Assessment of UNC3886’s Capabilities and Targets
Mandiant has assessed UNC3886 as a highly capable threat actor specializing in exploiting zero-day vulnerabilities in firewall and virtualization technologies that lack endpoint detection and response capabilities.
The primary targets of UNC3886 have been organizations in the US, Asia-Pacific region, and Japan. The group demonstrates adaptability and resourcefulness, as seen in the deployment of custom malware tools on Fortinet devices.
Their tactics, techniques, and procedures (TTPs) are dynamic and tailored to the specific needs of each attack, showcasing their determination and sophistication.
Conclusion to ESXi Zero-Day Threat
UNC3886’s exploitation of the ESXi zero-day vulnerability highlights the importance of promptly addressing security vulnerabilities and implementing robust endpoint detection and response mechanisms.
The group’s sophisticated attack chain and ability to adapt their TTPs demonstrate the need for organizations to remain vigilant and continuously enhance their cybersecurity defenses. Collaboration between security researchers, vendors, and organizations is crucial to mitigate