A known Chinese cyberespionage group that has shown an ability to exploit zero days in a variety of technologies and is known for targeting defense and telecom companies, recently has been observed exploiting a new zero day on VMware ESXi hosts to gain unauthenticated remote code execution.
The group is known as UNC3886 and Mandiant researchers have been tracking its activities for several months, including exposing the group’s usage of a custom malware framework to target VMware products. In recent operations, Mandiant observed the group using a complex attack chain against VMware products on Windows and Linux that includes exploitation of a new bug in VMware Tools (CVE-2023-20867) that VMware patched today.
“As investigations into UNC3886 activity continued in 2023, Mandiant discovered that the attacker utilized a zero-day vulnerability, CVE-2023-20867, to execute commands and transfer files to and from guest VMs from a compromised ESXi host without the need for guest credentials. Additionally, the use of CVE-2023-20867 does not generate an authentication log event on the guest VM when commands are executed from the ESXi host,” Mandiant said in a post detailing the attacks.
The operations that UNC3886 is running against its targets involve a number of discrete tactics and techniques and the attackers are exploiting CVE-2023-20867 to execute guest operations on guest VMs from a compromised ESXi host. The group also is deploying custom backdoors on compromised targets.
“CVE-2023-20867 allowed the attacker to execute privileged Guest Operations on guest VMs from a compromised ESXi host without the need to authenticate with the guest VM by targeting the authentication check mechanism. Additionally, the exploit bypasses traditional logging actions performed on either the ESXi host or the guest VM,” Mandiant said.
“This exploit was able to perform successful unauthenticated Guest Operations on both Windows, Linux, and PhotonOS (vCenter) guests. The attacker accomplished the exploit by running a Python script, which injects into the running /bin/vmx process, specifically targeting the userCredentialType that performs the authentication checks before executing a guest operation.”
There are some mitigating factors in order for this exploit to work, though. Most notably, the attacker needs to have privileged access to the ESXi host.
“Mandiant continues to observe UNC3886 leverage novel malware families and utilities that indicate the group has access to extensive research and support for understanding the underlying technology of appliances being targeted,” the researchers said.
“UNC3886 continues to target devices and platforms that traditionally lack EDR solutions and make use of zero-day exploits on those platforms. UNC3886 continues to present challenges to investigators by disabling and tampering with logging services, selectively removing log events related to their activity. The threat actors’ retroactive cleanup performed within days of past public disclosures on their activity indicates how vigilant they are,” Mandiant said.
The vulnerability that Mandiant discovered affects versions 12.x.x, 11.x.x, and 10.3.x of VM Tools.