Chinese Hackers Exploit VMware Zero-Day

Chinese state-sponsored hackers are exploiting a zero-day vulnerability in VMware ESXi hosts to backdoor Windows and Linux systems. The group, known as UNC3886, has been linked to a number of other high-profile attacks, including the targeting of defense, technology, and telecommunications organizations in the U.S., Japan, and the Asia-Pacific region. Chinese Hackers Exploit VMware Zero-Day to Backdoor Windows and Linux Systems

The vulnerability, tracked as CVE-2023-20867, allows UNC3886 to execute privileged commands across Windows, Linux, and PhotonOS (vCenter) guest VMs without authentication of guest credentials from a compromised ESXi host and no default logging on guest VMs.

In addition to exploiting the VMware ESXi zero-day, UNC3886 has also been observed using other techniques to gain access to victim networks, including:

• Exploiting vulnerabilities in firewall and virtualization software
• Harvesting credentials from vCenter servers
• Abusing VMCI sockets for lateral movement and continued persistence
• Disabling and tampering with logging services

LockBit, a ransomware-as-a-service (RaaS) operation, has extorted $91 million from U.S. companies since 2020.

UNC3886 is a highly sophisticated threat actor that is constantly evolving its tactics and techniques. Organizations that use VMware ESXi hosts should take steps to mitigate the risk of attack, including:

• Applying the latest security patches
• Using strong passwords and multi-factor authentication
• Segmenting networks to limit the spread of malware
• Backing up data regularly and keeping backups offline
• Having a plan to restore operations in the event of an attack

If you believe that your organization has been targeted by UNC3886, you should immediately contact law enforcement and a cybersecurity incident response firm. Chinese Hackers Exploit VMware Zero-Day to Backdoor Windows and Linux Systems