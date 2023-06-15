The Chinese hacker group known as UNC3886 was found to be exploiting a zero-day vulnerability in VMware ESXi hosts to insert backdoors into Windows and Linux systems.

It should be noted immediately that Windows has the Windows subsystem for Linux inside, so now the two systems are intrinsically linked to each other.

How was this VMWARE backdoor exploited?

The vulnerability that bypasses VMware Tools authentication, identified as CVE-2023-20867 (CVSS score: 3.9),”allowed running privileged commands on Windows, Linux and PhotonOS (vCenter) VM guests without authenticating guest credentials from a compromised ESXi host and without default registrations on the VM guests“, has declared mandiant.

UNC3886 was documented first reported by the Google-owned threat intelligence company in September 2022 as a cyber-espionage actor infecting VMware ESXi and vCenter servers with backdoors called VIRTUALPITA and VIRTUALPIE.

In early March, the group was connected the exploitation of a medium-threat security flaw in the Fortinet operating system, known as FortiOS, now corrected, to distribute systems on network devices and interact with the aforementioned malware.

The perpetrators of this “attack” have been described as a “highly skilled” collective targeting defense, technology and telecommunications organizations in the United States, Japan and Asia-Pacific.

“The group has access to extensive research and support for understanding the underlying technology of the targeted devicesMandiant researchers said, highlighting their pattern of exploiting vulnerabilities in firewall and virtualization software that do not support EDR solutions.

As part of its efforts to exploit ESXi systems, the hacker group has been observed, among other things, harvesting credentials from vCenter servers and abusing CVE-2023-20867 to execute commands and transfer files to and from VM guests from a compromised ESXi host.

A notable aspect of UNC3886’s operational strategy is the use of virtual machine communication interfaces (VMCI) for lateral movement and continuous persistence, thus allowing a covert channel to be established between the ESXi host and its VM guests.

“This open communication channel between guest and host, where both roles can act as client or server, has enabled a new means of persistence to regain access on a backdoored ESXi host as long as a backdoor has been deployed and the attacker gain initial access to any guest machine,” the company said.

The development of the matter comes as the researcher of the Summoning team, Sina Kheirkhah, has disclosed three different vulnerabilities in VMware Aria Operations for Networks (CVE-2023-20887, CVE-2023-20888 and CVE-2023-20889) that could lead to remote code execution.

“UNC3886 continues to present challenges to investigators by disabling and manipulating logging services, selectively removing logging events related to their activity,” he added. “The retroactive cleanup of bad actors performed in the days following public disclosures about their activities indicates how vigilant they are.”

