Rewterz Threat Alert – A China-linked APT Group Exploiting A Zero-Day Vulnerability In VMware ESXi

Severity

High

Analysis Summary

The cybersecurity researcher firm has discovered a cyber espionage group known as UNC3886, which is believed to be sponsored by China, exploiting a zero-day vulnerability in VMware ESXi. The vulnerability, tracked as CVE-2023-20867, allowed the group to backdoor Windows and Linux virtual machines hosted on compromised ESXi hosts. The attackers leveraged a VMware Tools authentication bypass flaw to deploy VirtualPita and VirtualPie backdoors, gaining root privileges on the guest VMs. By using maliciously crafted vSphere Installation Bundles (VIBs), the group installed the backdoor malware on the ESXi hosts.

“A fully compromised ESXi host can force VMware Tools to fail to authenticate host-to-guest operations, impacting the confidentiality and integrity of the guest virtual machine,” according to VM security advisory.

During investigation, they also identified another malware strain called VirtualGate, which acted as a memory-only dropper on the hijacked VMs. This allowed the group to deobfuscate second-stage DLL payloads. Researchers noted that the communication channel between the guest and host machines provided a means of persistence for the attackers. It also highlighted the deep technical knowledge and understanding of ESXi, vCenter, and VMware’s virtualization platform demonstrated by UNC3886.

”The report reinforces UNC3886’s deep understanding and technical knowledge of ESXi, vCenter and VMware’s virtualization platform. UNC3886 continues to target devices and platforms that traditionally lack EDR solutions and make use of zero-day exploits on those platforms”

In a previous campaign in mid-2022, UNC3886 targeted FortiGate firewall devices using a zero-day vulnerability (CVE-2022-41328) and deployed Castletap and Thincrust backdoors. With access to the compromised Fortinet devices, the group gained persistence on FortiManager and FortiAnalyzer devices and later moved laterally through the victims’ network. The backdoored ESXi and vCenter machines were used to ensure stealthy operations.

UNC3886 primarily targets organizations in the defense, government, telecom, and technology sectors in the U.S. and APJ regions. Their choice of targets focuses on zero-day vulnerabilities in firewall and virtualization platforms lacking Endpoint Detection and Response (EDR) capabilities. The report highlighted the group’s advanced capabilities, custom implants, and extensive research capabilities, allowing them to understand and exploit complex technologies used by targeted appliances.



The attacks attributed to UNC3886 are highly targeted and suggest a focus on governmental or government-related entities. The group’s activities reflect an ongoing pattern of Chinese espionage, demonstrating sophisticated tradecraft that is challenging to detect. It is likely that there are additional victims who are unaware of the compromise. UNC3886 has successfully breached organizations with mature security programs in place, indicating the need for heightened vigilance and advanced security measures to counter their activities.

Impact

• Security Bypass
• Credentials Harvesting

Remediation

• Ensure that all VMware ESXi hosts are updated to the latest available patches and firmware versions. VMware has released a security advisory addressing the zero-day vulnerability, so promptly apply the provided patches.
• Implement a robust vulnerability management program to regularly scan and identify any potential vulnerabilities in your virtualization environment. Prioritize patching and remediation based on criticality and impact.
• Implement network segmentation to isolate critical systems, such as ESXi hosts, from other less critical systems. This can help contain the impact of a potential compromise and limit lateral movement within the network.
• Follow the principle of least privilege for user accounts and ensure that only authorized personnel have administrative access to ESXi hosts. Regularly review and revoke unnecessary privileges to minimize the attack surface.
• Deploy robust security monitoring and intrusion detection systems to detect any suspicious activities or indicators of compromise. Implement real-time log analysis and alerting mechanisms to identify potential unauthorized access attempts.
• Educate users and system administrators about the latest threats, phishing techniques, and social engineering tactics employed by APT groups. Encourage a culture of security awareness and promote safe computing practices.
• Conduct periodic security audits and assessments of your virtualization infrastructure to identify any misconfigurations or vulnerabilities. Engage third-party security experts if necessary to perform thorough assessments.
• Continuously monitor the security posture of your virtualization environment, including ESXi hosts and virtual machines. Implement hardening measures recommended by VMware and security best practices to minimize the attack surface and strengthen defenses.