China-linked APT UNC3886 has been exploiting vCenter Server zero-day vulnerability CVE-2023-34048 since at least late 2021, according to Mandiant researchers.
The company updated its advisory on January 18, 2023, revealing that they are aware of exploitation “in the wild.”
In June 2023, Mandiant researchers observed the cyberespionage group UNC3886 exploiting a VMware ESXi zero-day vulnerability tracked as CVE-2023-20867.
The highly targeted and evasive nature of this attack leads the experts to believe that the attack was carried out for cyberespionage purposes by a China-linked actor tracked as UNC3886.
Mandiant first detailed the activity of the group in September 2022 when they discovered a novel malware persistence technique within VMware ESXi Hypervisors.
The cyberespionage group was observed harvesting credentials for service accounts from a vCenter Server for all connected ESXi hosts from the embedded vPostgreSQL server built into vCenter Server Appliance.
The CVE-2023-20867 flaw is exclusively exploitable by an attacker with root access to the ESXi server.
Then the attackers deploy backdoors on ESXi hosts using an alternative socket address family, use VMCI, for lateral movement, and maintain persistence.
In recent attacks, Chinese hackers were also spotted modifying and disabling logging services on compromised systems.
Mandiant observed that a VMware vmdird service crashed minutes prior to the deployment of the backdoors being deployed.
The researchers also noticed that most environments where these crashes were observed had log entries preserved, however, the ‘vmdird’ core dumps were removed.