Mandiant detected Chinese cyberespionage group UNC3886 exploiting a VMware ESXi zero-day vulnerability impacting VMware ESXi hosts, vCenter servers, and Windows virtual machines (VM). Since September 2022, UNC3886 has utilized malicious vSphere Installation Bundles (VIBs) to install backdoors on ESXi hypervisors. The group recently harvested information from vCenter Server for connected ESXi hosts, deployed additional backdoors, and tampered with logging devices on compromised systems.
The Chinese group utilized a new vulnerability (CVE-2023-20867) in VMware Tools to access and execute commands in Windows, Linux, and PhtonOS guest VMs. Mandiant observed UNC3886 deploying malicious VIBs to targets, and then utilizing CVE-2023-20867 to execute code and transfer information from ESXi targets to guest virtual machines. The exploitation bypassed authentication checks and left no trace, as the vulnerability does not create an authentication log. UNC3886 also harvested credentials from vCenter servers through the vPostgreSQL database. CVE-2023-20867 is in the “low severity” category because exploitations require root access to the ESXi server.
Read More: