Reesearchers have spotted n espionage campaign by Chinese threat actor UNC3886 targeting VMware ESXi hosts and have quietly been exploiting a zero-day authentication bypass flaw in the virtualization technology to execute privileged commands on guest virtual machines.
The zero-day vulnerability tracked as CVE-2023-208670 is present in VMware Tools, a set of services and modules for enhanced management of guest operating systems.
The bug gives attackers a way to use a compromised ESXi host to transfer files to and from Windows, Linux, and vCenter guest virtual machines without the need for guest credentials — and without any default logging of the activity happening. VMware assessed the flaw as being of medium severity because to exploit it, an attacker already needs to have root access over an ESXi host.
The investigation uncovered new details on the threat actor’s tactics and methods. They found, for instance, the threat actor harvesting credentials for connected ESXi service accounts from vCenter Server appliance and exploiting CVE-2023-20867 to execute privileged commands across guest virtual machines.
Reseaechers found the threat actors deploying backdoors — including VirtualPITA and another called VirtualGATE — using the Virtual Machine Communication Interface (VMCI) socket for lateral movement and additional persistence.
The harvesting of connected ESXi service account credentials on vCenter servers and the capabilities of the VMCI socket backdoor are two new techniques that not seen utilized by other attackers in the past.
The threat actor targeted ESXi hosts belonging to defense, technology, and telecommunications companies.
This research was documented by researchers from Mandiant
Indicators of Compromise