Rampant Cyber Espionage: Chinese Hackers Target Guest VMs through ESXi Zero-Day Exploit

Chinese Hackers Exploit Zero-Day Flaw in VMware ESXi Technology

A Chinese cyber-espionage group called UNC3886, which has been previously spotted targeting VMware ESXi hosts, has been exploiting a zero-day authentication bypass flaw in the virtualization technology to execute privileged commands on the guest virtual machines (VMs). The vulnerability was discovered by researchers from Mandiant, who were investigating UNC3886, a Chinese threat actor they have been following. In September 2022, Mandiant reported finding UNC3886 using poisoned vSphere Installation Bundles to install backdoors on ESXi hypervisors. The backdoors enabled attackers to transfer files and access guest VMs. UNC3886 was using the zero-day vulnerability (CVE-2023-208670) as part of a sophisticated attack chain.

The Zero-Day Vulnerability in VMware Tools

The zero-day vulnerability exists in VMware Tools, which is a set of services and modules used for enhanced management of guest operating systems. The flaw allows attackers to use a compromised ESXi host to transfer files to and from Windows, Linux, and vCenter guest VMs without the need for guest credentials. The bug does not require any default logging of the activity happening.

VMware assessed the flaw as being of medium severity since, to exploit it, attackers would already need to have root access over an ESXi host. Mandiant discovered UNC3886 using the zero-day vulnerability to execute privileged commands across guest VMs. According to Mandiant, UNC3886 deployed backdoors, including VirtualPITA and VirtualGATE, using the Virtual Machine Communication Interface (VMCI) socket for lateral movement and additional persistence. UNC3886 targeted ESXi hosts belonging to defense, technology, and telecommunications companies in the US and the Asia-Pacific region and Japan.

UNC3886’s Attack Methodology

UNC3886 was targeting vCenter servers to administer multiple ESXi hosts, each of which creates a service account called the “vpxuser” when initially connected to a vCenter server. UNC3886 harvested this account on vCenter servers to connect with administrative rights to all connected ESXi hosts. After obtaining privileged access to the organization’s vCenter server and retrieving service account credentials, UNC3886 connected to ESXi hosts and deployed backdoors using VIBs, exploiting the zero-day vulnerability to execute commands for transferring files to and from guest VMs without requiring the guest’s credentials.

Finding a New Threat Actor Technique

Mandiant found new UNC3886 techniques, such as the harvesting of connected ESXi service account credentials on vCenter servers, that are not utilized by other attackers. It also discovered that the VMCI socket backdoor was used to enable direct reconnection from any guest VM to the compromised ESXi host’s backdoor regardless of network segmentation or firewall rules in place. Mandiant advises organizations to detect and respond to this attack path, regardless of the exact malware being deployed or commands being used.

Expert Opinion

Mandiant has assessed UNC3886 as a particularly adept threat actor that exploits zero-day bugs in firewall and virtualization technologies that do not support endpoint detection and response technologies. UNC3886 has shown itself to be a flexible, yet sophisticated, threat actor, which modifies open-source projects to complete its mission.

Conclusion

As the frequency and sophistication of cyberattacks continue to increase, it is essential to keep software updated with the latest patches, protect systems with endpoint detection and response technologies, and train personnel to recognize the signs of phishing and social engineering. Cybersecurity has become a top priority for everyone, and it is up to individuals and organizations to stay vigilant and keep cybersecurity standards high.