A Chinese threat group exploited a critical-severity remote code execution flaw in VMware’s centralized management utility, vCenter Server, for almost two years before patches were released.
VMware released fixes for the flaw (CVE-2023-34048) in October 2023, but at the time the company said it had not seen evidence of exploitation. On Wednesday, VMware updated its security advisory to confirm that exploitation had occurred in the wild, and then on Friday, researchers with Mandiant said that they found evidence of this exploitation activity going as far back as late 2021.
“As mentioned in the VMware advisory, this vulnerability has since been patched in vCenter 8.0U2 and Mandiant recommends VMware users updating to the latest version of vCenter to account for this vulnerability seeing exploitation in the wild,” according to Alexander Marvi, Shawn Chew and Punsaen Boonyakarn with Mandiant in a Friday analysis.
While scouring VMware service crash logs, researchers in late 2023 observed that the “vmdird” service in impacted vCenter systems was crashing minutes prior to backdoors being deployed.
“Analysis of the core dump of ‘vmdird’ by both Mandiant and VMware Product Security showed that the process crashing is closely aligned with the exploitation of CVE-2023-34048, the out-of-bounds write vCenter vulnerability in the implementation of the DCE/RPC protocol patched in October 2023, which enables unauthenticated remote command execution on vulnerable systems,” said the Mandiant researchers.
Mandiant researchers tied the attacks to UNC3886, a known, advanced Chinese espionage threat group that has previously exploited flaws in VMware ESXi hosts, vCenter servers and Windows virtual machines. The threat group is known for using a number of tactics for evading detection and skirting by EDR solutions, including the use of zero-day flaws for executing privileged commands, deploying backdoors, harvesting and using credentials for vCenter server service accounts and tampering with and disabling logging services on impacted systems.
In some of the incidents associated with the exploits of CVE-2023-34048, the “vmdird” core dumps were removed, even though the log entries had been preserved and VMware’s default configurations keep core dumps indefinitely on the system. Threat actors may have purposely removed these core dumps as a way to avoid detection, said researchers.
The researchers said they had observed these types of crashes in other incidents tied to the UNC3886 threat actor between late 2021 to early 2022, suggesting that the attacker was leveraging the flaw during that time period as well.
“These findings stem from Mandiant’s continued research of the novel attack paths used by UNC3886, which historically focuses on technologies that are unable to have EDR deployed to them,” said researchers. “UNC3886 has a track record of utilizing zero-day vulnerabilities to complete their mission without being detected, and this latest example further demonstrates their capabilities.”