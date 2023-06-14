A Chinese cyber-espionage group that researchers previously spotted targeting VMware ESXi hosts has quietly exploited a zero-day authentication bypass flaw in virtualization technology to execute privileged commands on guest virtual machines (VMs).

Mandiant researchers discovered the vulnerability during ongoing investigations of UNC3886, a Chinese threat actor they have tracked for some time and reported on last year. They disclosed the vulnerability to VMware, which released a patch on Tuesday fixing the flaw.

Zero-Day Authentication Bypass

The zero-day vulnerability (CVE-2023-208670) is present in VMware Tools, a set of services and modules for better management of guest operating systems.

The bug gives attackers a way to use a compromised ESXi host to transfer files to and from Windows, Linux, and vCenter guest VMs without requiring guest credentials and without any default logging of the file. current activity. VMware rated the flaw as medium severity because to exploit it, an attacker must already have root access on an ESXi host.

Mandiant found UNC3886 using CVE-2023-208670 as part of a larger and more sophisticated attack chain that its researchers have unraveled over the past few months.

In September 2022, Mandiant reported discovering UNC3886 using poisoned vSphere installation bundles, or VIBs, to install several backdoors collectively known as VirtualPITA and VirtualPIE on ESXi hypervisors. The backdoors allowed attackers to maintain permanent administrative access to the hypervisor, route commands through the hypervisor for execution on guest virtual machines, and transfer files between the hypervisor and guest machines. The malware set also allowed the UNC3886 actor to tamper with the hypervisor’s logging service and run arbitrary recommendations between guest VMs on the same hypervisor.

Mandiant’s analysis at the time, the threat actor needed administrator-level privileges on the ESXi hypervisor to deploy the backdoors. But he found no evidence of UNC3886 actors exploiting a zero-day vulnerability to break into the ESXi environment or to deploy the armed VIBs.

New Details on Threat Actor Tactics and Methods

Security vendor continues to investigate UNC3886 campaign summarized in a technical report this week uncovered new details about the threat actor’s tactics and methods. They discovered, for example, that the threat actor was harvesting credentials of connected ESXi service accounts from the vCenter Server appliance and exploiting CVE-2023-20867 to run privileged commands on virtual machines. invited. Mandiant’s research has also shown UNC3886 actors deploying backdoors, including VirtualPITA and another called VirtualGATE, using the Virtual Machine Communication Interface (VMCI) socket for lateral movement and additional persistence. “This enabled direct reconnection of any guest VM to the backdoor of compromised ESXi hosts, regardless of network segmentation or firewall rules in place,” Mandiant said.

Mandiant’s report this week goes into the technical details of the entire attack chain, starting with the threat actor gaining privileged access to an organization’s vCenter server and recovering credentials. service account for all connected ESXi hosts. The report goes on to describe how UNC3886 actors used the credentials to connect to ESXi hosts, deploy VirtualPITA and VirtualPIE backdoors on them using VIBs, and then exploit CVE-2023-208670 to run security commands. transferring files to and from guessed virtual machines.

The threat actor targeted ESXi hosts belonging to defense, technology and telecommunications companies, Mandiant said.

“To enable connections to multiple ESXi hosts at once, vCenter servers targeted UNC3886, each [of which] manage multiple ESXi hosts,” says Alex Marvi, Mandiant consultant from Google Cloud. “Each ESXi host creates a service account called ‘vpxuser’ when initially connected to a vCenter Server. UNC3886 has been seen harvesting this vpxuser account from vCenter servers so that they can connect with administrative rights to all connected ESXi hosts.” Once connected to ESXi hosts, the threat actor exploited CVE-2023-20867 to run commands and transfer files to running guest machines without requiring guest credentials, it says.

New techniques

Collecting credentials from the ESXi service account logged into vCenter servers and VMCI socket backdoor capabilities are two new techniques that Mandiant has not seen used by other attackers in the past, says Marvi . “This should help organizations detect and respond to this attack path, regardless of the malware deployed or the commands used.”

Mandiant has rated UNC3886 as a threat actor particularly adept at targeting and exploiting zero-day bugs in firewall and virtualization technologies that do not support endpoint detection and response technologies. Its main targets have been the United States and organizations in the Asia-Pacific region and Japan. According to Marvi, UNC3886 has demonstrated the ability to change attackers’ paths and tactics when needed. It points to a new set of malicious tools that the malicious actor has deployed on Fortinet devices as proof of its capabilities and access to the resources needed to carry out highly sophisticated attacks.

“UNC3886 has proven to be a flexible, yet highly capable threat actor that will modify open source projects to achieve their mission,” he said. “I would say that the TTPs in this group are more dynamic than unique, built around the exact needs of regaining access or persisting in an environment with whatever they have access to.”