Chinese hackers quietly exploited a VMware zero-day for two years

News
By published

UNC3886 was abusing a flaw in VMware for years, exfiltrating sensitive data

How to prevent cyberattacks
(Image credit: Unsplash)

Chinese state-sponsored hackers known as UNC3886 have been abusing a zero-day vulnerability in VMware and Fortinet devices for years, experts have revealed.

A report from Mandiant claims the group used the flaw to deploy malware, steal credentials, and ultimately exfiltrate sensitive data.

The flaw in question is tracked as CVE-2023-34048. It carries a severity score of 9.8/10 (critical), and is described as an out-of-bounds write flaw that allows remote code execution to attackers with access to vCenter Server. The patch was released in late October 2023. 

Regular VMware customers

"UNC3886 has a track record of utilizing zero-day vulnerabilities to complete their mission without being detected, and this latest example further demonstrates their capabilities," Mandiant explained in the report. With the help of CVE-2023-34048, UNC3886 was allowed to enumerate all ESXi hosts and guest virtual machines on a vulnerable system, and then pull cleartext “vpxuser” credentials for the hosts. The next step was to install VIRTUALPITA and VIRTUALPIE malware, which granted direct access to the compromised endpoints.

From that point, the attackers abused a separate flaw, CVE-2023-20867 (severity score 3.9), to run arbitrary commands and pull sensitive information from the devices. 

VMware urges vCenter Server users to apply the latest patch immediately.

The last time we heard of UNC3886 was in September 2022, when researchers spotted the group compromising VMware’s ESXi hypervisors to gain access to virtual machines and spy on businesses in the west. Back then, the group was observed installing two malicious programs on bare-metal hypervisors, using vSphere Installation Bundles - the same ones as in this attack. Furthermore, they discovered a unique malware/dropper dubbed VirtualGate.

Unlike this attack, in which a zero-day was being abused, in the previous incident the group simply used admin-level access to the ESXi hypervisors to install their tools.

Via TheHackerNews

More from TechRadar Pro

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
vpn
Ivanti warns another critical security flaw is being attacked
Security
Broadcom releases fixes for multiple VMware security flaws
Best free Linux firewalls
Fortinet warns a critical vulnerability in its systems could let attackers breach company networks
Representational image depecting cybersecurity protection
Hackers are breaking SonicWall products to target business networks
A person at a laptop with a cybersecure lock symbol floating above it.
Hackers are still using old Ivanti bugs to break into networks
The best free firewall
Palo Alto warns another major firewall hack has been detected
Latest in Security
cybersecurity
Chinese government hackers allegedly spent years undetected in foreign phone networks
Data leak
A major Keenetic router data leak could put a million households at risk
Code Skull
Interpol operation arrests 300 suspects linked to African cybercrime rings
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Multiple routers hit by new critical severity remote command injection vulnerability, with no fix in sight
Code Skull
This dangerous new ransomware is hitting Windows, ARM, ESXi systems
An abstract image of a lock against a digital background, denoting cybersecurity.
Critical security flaw in Next.js could spell big trouble for JavaScript users
Latest in News
Zotac Gaming RTX 5090 Graphics Card
Nvidia Blackwell stock woes are compounded by price hikes as more RTX 5090 GPUs soar in pricing, and I’m sick and tired of it all at this point
A collage of Elizabeth Olsen's Scarlet Witch and Tatiana Maslany's She-Hulk
Marvel fans are already tired of Doomsday and Secret Wars cast gossip as two more superheroes get linked with roles in the next two Avengers movies
Four operators survey Verdansk. One holds a sniper rifle, one binoculars, another holds is landing with their parachute, while the last wears a skull mask
New Call of Duty: Warzone trailer shows a beautiful rebuilt Verdansk, but some fans want more: 'it won't be the same unfortunately'
An Apple Music pink/pixellated poster advertising DJ with Apple Music
DJ with Apple Music lands, allowing subscribers to build and mix DJ sets directly from its +100 million-song catalog
The Meta Quest 3 and controllers on their charging station which is itself on a wooden desk next to a lamp
Forget Android XR, I've got my eyes on Vivo's new Meta Quest 3 competitor as it could be the most important VR headset of 2025
Samsung Galaxy S25 from the front
The Now Bar on Samsung One UI 7 is about to get a lot more useful – and could soon match Live Activities on iOS
More about security
Data leak

A major Keenetic router data leak could put a million households at risk
Code Skull

This dangerous new ransomware is hitting Windows, ARM, ESXi systems
cybersecurity

Chinese government hackers allegedly spent years undetected in foreign phone networks
See more latest
Most Popular
cybersecurity
Chinese government hackers allegedly spent years undetected in foreign phone networks
Sony WF-C710N
Sony WF-C710 earbuds land, and I think they'll be the 2025 budget buds to beat
The RIG M2 Streamstar attached to a boom arm.
The RIG M2 Streamstar is a new microphone with the world's first Bluetooth audio gateway in a wired gaming mic
Four operators survey Verdansk. One holds a sniper rifle, one binoculars, another holds is landing with their parachute, while the last wears a skull mask
New Call of Duty: Warzone trailer shows a beautiful rebuilt Verdansk, but some fans want more: 'it won't be the same unfortunately'
Data leak
A major Keenetic router data leak could put a million households at risk
A collage of Elizabeth Olsen's Scarlet Witch and Tatiana Maslany's She-Hulk
Marvel fans are already tired of Doomsday and Secret Wars cast gossip as two more superheroes get linked with roles in the next two Avengers movies
Quordle on a smartphone held in a hand
Quordle hints and answers for Wednesday, March 26 (game #1157)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Wednesday, March 26 (game #388)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Wednesday, March 26 (game #654)
Nvidia app
Tired of manually optimizing your games? Nvidia's new G-Assist could save you time