Headline
Chinese Threat Actor Abused ESXi Zero-Day to Pilfer Files From Guest VMs
Mandiant’s ongoing investigation of UNC3886 has uncovered new details of threat actors’ TTPs.
A Chinese cyber-espionage group that researchers previously have spotted targeting VMware ESXi hosts has quietly been exploiting a zero-day authentication bypass flaw in the virtualization technology to execute privileged commands on guest virtual machines (VMs).
Researchers from Mandiant discovered the vulnerability during ongoing investigations of UNC3886, a Chinese threat actor they have been following for some time and whom they reported on last year. They disclosed the vulnerability to VMware, which released a patch addressing the flaw on Tuesday.
Authentication Bypass Zero-Day
The zero-day vulnerability (CVE-2023-208670) is present in VMware Tools, a set of services and modules for enhanced management of guest operating systems.
The bug gives attackers a way to use a compromised ESXi host to transfer files to and from Windows, Linux, and vCenter guest virtual machines without the need for guest credentials — and without any default logging of the activity happening. VMware assessed the flaw as being of medium severity because to exploit it an attacker already needs to have root access over an ESXi host.
Mandiant found UNC3886 using CVE-2023-208670 as part of a larger and sophisticated attack chain that its researchers have been unraveling over the past several months.
In September 2022, Mandiant reported uncovering UNC3886 using poisoned vSphere Installation Bundles, or VIBs, to install multiple backdoors — collectively dubbed VirtualPITA and VirtualPIE — on ESXi hypervisors. The backdoors enabled the attackers to maintain persistent administrative access to the hypervisor, to route commands through the hypervisor for execution on guest VMs, and for transferring files between the hypervisor and guest machines. The malware bundle also allowed UNC3886 actor to tamper with the hypervisor’s logging service and to execute arbitrary commend between guest VMs on the same hypervisor.
Mandiant’s analysis at the time showed the threat actor required admin-level privileges on the ESXi hypervisor to deploy the backdoors. But it found no evidence of UNC3886 actors leveraging any zero-day vulnerability to break into the ESXi environment or to deploy the weaponized VIBs.
New Details on Threat Actor’s Tactics and Methods
The security vendor’s continuing investigation of UNC3886’s campaign — summarized in a technical report this week — uncovered new details on the threat actor’s tactics and methods. They found, for instance, the threat actor harvesting credentials for connected ESXi service accounts from vCenter Server appliance and exploiting CVE-2023-20867 to execute privileged commands across guest virtual machines. Mandiant’s research also showed UNC3886 actors deploying backdoors — including VirtualPITA and another called VirtualGATE — using the Virtual Machine Communication Interface (VMCI) socket for lateral movement and additional persistence. “This … enabled direct reconnection from any guest VM to the compromised ESXi host’s backdoor regardless of network segmentation or firewall rules in place,” Mandiant said.
Mandiant’s report this week goes into the technical details on the entire attack chain beginning with the threat actor gaining privileged access to an organization’s vCenter server and retrieving service account credentials for all connected ESXi hosts. The report goes on to describe how UNC3886 actors used the credentials to connect to ESXi hosts, deploy VirtualPITA and VirtualPIE backdoors on them using VIBs and then exploiting CVE-2023-208670 to execute commands for transferring files to and from guess VMs.
The threat actor targeted ESXi hosts belonging to defense, technology and telecommunications companies, Mandiant said.
“To enable connections to many ESXi hosts at once, UNC3886 targeted vCenter servers, each [of which] administrate multiple ESXi hosts,” says Alex Marvi, a consultant at Google Cloud’s Mandiant. “Each ESXi host creates a service account called the ‘vpxuser’ when it is initially connected to a vCenter server. UNC3886 was seen harvesting this vpxuser account on vCenter servers so they could connect with administrative rights to all connected ESXi hosts.” Once connected to the ESXi hosts, the threat actor leveraged CVE-2023-20867 to run commands and transfer files on running guest machines without the need for the guest’s credentials, he says.
Previously Unseen Techniques
The harvesting of connected ESXi service account credentials on vCenter servers and the capabilities of the VMCI socket backdoor are two new techniques that Mandiant has not seen utilized by other attackers in the past, Marvi says. “This should help organizations detect and respond to this attack path, regardless of the exact malware being deployed or commands being used.”
Mandiant has assessed UNC3886 as a threat actor that is particularly adept at targeting and exploiting zero-day bugs in firewall and virtualization technologies that do not support endpoint detection and response technologies. Its primary targets have been in the US and on organizations in the Asia-Pacific region and Japan. According to Marvi, UNC3886 has demonstrated the ability to switch up attacker paths and tactics when needed. He points to a novel set of malware tools the threat actor deployed on Fortinet devices as evidence of its abilities and access to resources needed to carry out highly sophisticated attacks.
“UNC3886 has shown itself to be a flexible, yet highly capable threat actor, which will modify open source projects to complete their mission,” he says. “I would argue that this group’s TTPs are more dynamic than unique, built around the exact needs to either regain access or persist in an environment with whatever they are given access to.”
Related news
The China-nexus cyber espionage actor linked to the zero-day exploitation of security flaws in Fortinet, Ivanti, and VMware devices has been observed utilizing multiple persistence mechanisms in order to maintain unfettered access to compromised environments. "Persistence mechanisms encompassed network devices, hypervisors, and virtual machines, ensuring alternative channels remain available
An advanced China-nexus cyber espionage group previously linked to the exploitation of security flaws in VMware and Fortinet appliances has been linked to the abuse of a critical vulnerability in VMware vCenter Server as a zero-day since late 2021. "UNC3886 has a track record of utilizing zero-day vulnerabilities to complete their mission without being detected, and this latest example further
IBM QRadar SIEM 7.5.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 254138
Dell SCG Policy Manager 5.16.00.14 contains a broken cryptographic algorithm vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability by performing MitM attacks and let attackers obtain sensitive information.
Debian Linux Security Advisory 5943-1 - Two security issues have been discovered in the Open VMware Tools, which may result in a man-in-the-middle attack or authentication bypass.
Ubuntu Security Notice 6257-1 - It was discovered that Open VM Tools incorrectly handled certain authentication requests. A fully compromised ESXi host can force Open VM Tools to fail to authenticate host-to-guest operations, impacting the confidentiality and integrity of the guest virtual machine.
Red Hat Security Advisory 2023-3947-01 - The Open Virtual Machine Tools are the open source implementation of the VMware Tools. They are a set of guest operating system virtualization components that enhance performance and user experience of virtual machines. Issues addressed include a bypass vulnerability.
Red Hat Security Advisory 2023-3950-01 - The Open Virtual Machine Tools are the open source implementation of the VMware Tools. They are a set of guest operating system virtualization components that enhance performance and user experience of virtual machines. Issues addressed include a bypass vulnerability.
Red Hat Security Advisory 2023-3948-01 - The Open Virtual Machine Tools are the open source implementation of the VMware Tools. They are a set of guest operating system virtualization components that enhance performance and user experience of virtual machines. Issues addressed include a bypass vulnerability.
Red Hat Security Advisory 2023-3946-01 - The Open Virtual Machine Tools are the open source implementation of the VMware Tools. They are a set of guest operating system virtualization components that enhance performance and user experience of virtual machines. Issues addressed include a bypass vulnerability.
An update for open-vm-tools is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-20867: A flaw was found in the open-vm-tools package. An attacker with root access privileges over ESXi may be able to cause an authentication bypass in the vgauth module. This may lead to compromised confidentiality and integrity.
An update for open-vm-tools is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-20867: A flaw was found in the open-vm-tools package. An attacker with root access privileges over ESXi may be able to cause an authentication bypass in the vgauth module. This may lead to compromised confidentiality and integrity.
An update for open-vm-tools is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-20867: A flaw was found in the open-vm-tools package. An attacker with root access privileges over ESXi may be able to cause an authentication bypass in the vgauth module. This may lead to compromised confidentiality and integrity.
An update for open-vm-tools is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-20867: A flaw was found in the open-vm-tools package. An attacker with root access privileges over ESXi may be able to cause an authentication bypass in the vgauth module. This may lead to compromised confidentiality and integrity.
An update for open-vm-tools is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-20867: A flaw was found in the open-vm-tools package. An attacker with root access privileges over ESXi may be able to cause an authentication bypass in the vgauth module. This ma...
An update for open-vm-tools is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-20867: A flaw was found in the open-vm-tools package. An attacker with root access privileges over ESXi may be able to cause an authentication bypass in the vgauth module. This may lead to compromised confidentiality and integrity.
An update for open-vm-tools is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-20867: A flaw was found in the open-vm-tools package. An attacker with root access privileges over ESXi may be able to cause an authentication bypass in the vgauth module. This may lead to comprom...
The U.S. Cybersecurity and Infrastructure Security Agency has added a batch of six flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. This comprises three vulnerabilities that Apple patched this week (CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439), two flaws in VMware (CVE-2023-20867 and CVE-2023-20887), and one shortcoming impacting Zyxel
VMware has flagged that a recently patched critical command injection vulnerability in Aria Operations for Networks (formerly vRealize Network Insight) has come under active exploitation in the wild. The flaw, tracked as CVE-2023-20887, could allow a malicious actor with network access to the product to perform a command injection attack, resulting in remote code execution. It impacts VMware
The Chinese state-sponsored group known as UNC3886 has been found to exploit a zero-day flaw in VMware ESXi hosts to backdoor Windows and Linux systems. The VMware Tools authentication bypass vulnerability, tracked as CVE-2023-20867 (CVSS score: 3.9), "enabled the execution of privileged commands across Windows, Linux, and PhotonOS (vCenter) guest VMs without authentication of guest credentials
A fully compromised ESXi host can force VMware Tools to fail to authenticate host-to-guest operations, impacting the confidentiality and integrity of the guest virtual machine.