Chinese Hackers Exploit VMware Zero-Day

Chinese state-sponsored hackers are exploiting a zero-day vulnerability in VMware ESXi hosts to backdoor Windows and Linux systems. The group, known as UNC3886, has been linked to a number of other high-profile attacks, including the targeting of defense, technology, and telecommunications organizations in the U.S., Japan, and the Asia-Pacific region. Chinese Hackers Exploit VMware Zero-Day to Backdoor Windows and Linux Systems

The vulnerability, tracked as CVE-2023-20867, allows UNC3886 to execute privileged commands across Windows, Linux, and PhotonOS (vCenter) guest VMs without authentication of guest credentials from a compromised ESXi host and no default logging on guest VMs.

In addition to exploiting the VMware ESXi zero-day, UNC3886 has also been observed using other techniques to gain access to victim networks, including:

  • Exploiting vulnerabilities in firewall and virtualization software
  • Harvesting credentials from vCenter servers
  • Abusing VMCI sockets for lateral movement and continued persistence
  • Disabling and tampering with logging services

LockBit, a ransomware-as-a-service (RaaS) operation, has extorted $91 million from U.S. companies since 2020.

UNC3886 is a highly sophisticated threat actor that is constantly evolving its tactics and techniques. Organizations that use VMware ESXi hosts should take steps to mitigate the risk of attack, including:

  • Applying the latest security patches
  • Using strong passwords and multi-factor authentication
  • Segmenting networks to limit the spread of malware
  • Backing up data regularly and keeping backups offline
  • Having a plan to restore operations in the event of an attack

If you believe that your organization has been targeted by UNC3886, you should immediately contact law enforcement and a cybersecurity incident response firm. Chinese Hackers Exploit VMware Zero-Day to Backdoor Windows and Linux Systems

Leave a Reply

Your email address will not be published. Required fields are marked *

Select your currency