Chinese state-sponsored hackers are exploiting a zero-day vulnerability in VMware ESXi hosts to backdoor Windows and Linux systems. The group, known as UNC3886, has been linked to a number of other high-profile attacks, including the targeting of defense, technology, and telecommunications organizations in the U.S., Japan, and the Asia-Pacific region. Chinese Hackers Exploit VMware Zero-Day to Backdoor Windows and Linux Systems
The vulnerability, tracked as CVE-2023-20867, allows UNC3886 to execute privileged commands across Windows, Linux, and PhotonOS (vCenter) guest VMs without authentication of guest credentials from a compromised ESXi host and no default logging on guest VMs.
In addition to exploiting the VMware ESXi zero-day, UNC3886 has also been observed using other techniques to gain access to victim networks, including:
- Exploiting vulnerabilities in firewall and virtualization software
- Harvesting credentials from vCenter servers
- Abusing VMCI sockets for lateral movement and continued persistence
- Disabling and tampering with logging services
LockBit, a ransomware-as-a-service (RaaS) operation, has extorted $91 million from U.S. companies since 2020.
UNC3886 is a highly sophisticated threat actor that is constantly evolving its tactics and techniques. Organizations that use VMware ESXi hosts should take steps to mitigate the risk of attack, including:
- Applying the latest security patches
- Using strong passwords and multi-factor authentication
- Segmenting networks to limit the spread of malware
- Backing up data regularly and keeping backups offline
- Having a plan to restore operations in the event of an attack
If you believe that your organization has been targeted by UNC3886, you should immediately contact law enforcement and a cybersecurity incident response firm. Chinese Hackers Exploit VMware Zero-Day to Backdoor Windows and Linux Systems