A Chinese cyber espionage group has been found exploiting a VMware ESXi zero-day vulnerability to backdoor guest virtual machines, a new report from cybersecurity firm Mandiant reveals.
Tracked by Mandiant as UNC3886, the threat actor exploited the CVE-2023-20867 VMware Tools authentication bypass bug to deploy VirtualPita and VirtualPie backdoors on guest virtual machines from compromised ESXi hosts where they escalated privileges to root.
The attackers used scripts to obtain vpxuser credentials, enumerate ESXi hosts and their guest VMs, manipulate connected ESXi host firewall rules, and add or delete from the list of allowed IPs for a specified service (Default sshServer) across all connected ESXi hosts.
The vpxuser account is a privileged service account created on an ESXi host automatically when it is first connected to a vCenter server. UNC3886 used this service to deploy malicious vSphere Installation Bundles (VIB) using VMCI sockets that contained either the Virtualpita or Virtualpie backdoor for lateral movement and continued persistence.
The threat actor used CVE-2023-20867 to execute commands and transfer files to and from guest VMs from a compromised ESXi host without the need for guest credentials.
“Additionally, the use of CVE-2023-20867 does not generate an authentication log event on the guest VM when commands are executed from the ESXi host,” Mandiant noted.
The CVE-2023-20867 flaw was addressed with the release of VMware Tools version 12.2.5.
“UNC3886 continues to target devices and platforms that traditionally lack EDR solutions and make use of zero-day exploits on those platforms. UNC3886 continues to present challenges to investigators by disabling and tampering with logging services, selectively removing log events related to their activity. The threat actors’ retroactive cleanup performed within days of past public disclosures on their activity indicates how vigilant they are,” Mandiant concluded.