A highly advanced China-nexus espionage group has been exploiting a critical VMware vCenter Server flaw as a zero-day since 2021, new findings from Google-owned cybersecurity firm Mandiant show.
The vulnerability in question is CVE-2023-34048, an out-of-bounds write issue within the DCERPC protocol implementation that could allow a remote attacker to execute arbitrary code via a specially crafted RPC request to the vCenter Server. The vulnerability was publicly disclosed and fixed in October 2023. Last week, VMware confirmed that CVE-2023-34048 was under active exploitation.
Mandiant has attributed the observed campaign to UNC3886, a threat actor known for its previous attacks against security flaws in VMware and Fortinet appliances.
“In late 2023, a similarity was observed across impacted vCenter systems that explained how the attacker was gaining initial access to the vCenter systems. Located in the VMware service crash logs, /var/log/vMonCoredumper.log, the following entries show the "vmdird" service crashing minutes prior to attacker backdoors being deployed,” the company said in a report.
While examining the core dump of “vmdird’, the researchers noted that the process crashing was closely aligned with the exploitation of CVE-2023-34048. Mandiant said it saw these crashes across multiple UNC3886 cases between late 2021 and early 2022, indicating that the threat actor had access to the vulnerability for nearly a year and a half.
In other news, the US Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive ordering Federal Civilian Executive Branch (FCEB) agencies to immediately patch two Ivanti Connect Secure and Ivanti Policy Secure zero-day flaws - an authentication bypass (CVE-2023-46805) and an OS command injection bug (CVE-2024-21887) - that have been actively exploited by multiple malicious actors.