In October, VMware fastened a crucial distant code execution vulnerability in its vCenter Server (CVE-2023-34048) and Cloud Basis enterprise merchandise which are used to handle digital machines throughout hybrid clouds. It has now come to gentle {that a} Chinese language cyberespionage group had been exploiting the vulnerability for 1.5 years earlier than the patch turned out there.
“These findings stem from Mandiant’s continued analysis of the novel assault paths utilized by UNC3886, which traditionally focuses on applied sciences which are unable to have EDR deployed to them,” researchers from security agency Mandiant stated in a report late final week. “UNC3886 has a monitor report of using zero-day vulnerabilities to finish their mission with out being detected, and this newest instance additional demonstrates their capabilities.”
Suspicious VMware log entries date again to 2021
In June 2023, Mandiant documented how the Chinese language group it tracks as UNC3886 exploited a zero-day authentication bypass vulnerability in VMware Instruments (CVE-2023-20867) to deploy backdoors inside visitor VMs from compromised ESXi hosts. That assault stream described by Mandiant began with hackers first having access to vCenter servers after which utilizing identified methods to extract cleartext credentials for the vpxuser account for all ESXi hosts connected to the server. This allowed them to entry these hosts and exploit CVE-2023-20867 to deploy malware.
Nevertheless, the password for vpxuser — an account created on ESXi hosts routinely when related to a vCenter server — is encrypted by default. On a completely patched vCenter system, cracking the passwords requires root entry. So, how did attackers acquire root entry to vCenter servers within the first place? By exploiting the CVE-2023-34048 vulnerability that was later patched in October 2023.
Mandiant’s forensic analysts discovered a commonality on compromised vCenter methods the place the crash logs situated in /var/log/vMonCoredumper.log confirmed the “vmdird” service crashing minutes previous to attackers deploying their malware. After sharing this commentary with VMware’s product security workforce together with reminiscence core dumps of the crashed vmdird course of, the conclusion was reached that the crashes are intently aligned with the conduct noticed throughout CVE-2023-34048 exploitation.
The CVE-2023-34048 flaw is an out-of-bounds write within the implementation of the DCERPC protocol that results in a crash and arbitrary code execution. The flaw may be exploited remotely over the community.
