Chinese Cyber Espionage Titans Strike Again: Inside UNC3886’s Secret Exploits!

Using a VMware vulnerability, a Chinese cyber espionage group conducts a prolonged campaign.
In a worrying development, it has been determined that UNC3886, a highly skilled cyber espionage cell with ties to China and a reputation for taking advantage of security holes, was responsible for abusing a crucial vulnerability in VMware vCenter Server. Since late 2021, the vulnerability, known as CVE-2023-34048, has been used as a zero-day attack, raising concerns about the group’s capacity to operate persistently.

Google subsidiary Mandiant highlighted UNC3886’s skill in subtly utilizing zero-day vulnerabilities. Following the group’s recent exploitation of high-severity out-of-bounds write vulnerability CVE-2023-34048, VMware released a patch on October 24, 2023. The virtualization services provider admitted that in-the-wild exploitation had occurred despite the patch and advised users to upgrade to the most recent version for improved security.

Targeted Approach and Complex Exploitation Techniques UNC3886, first discovered in September 2022, came to light for its ability to compromise Windows and Linux systems by taking use of unpatched VMware vulnerabilities. The zero-day weaponization of CVE-2023-34048, which allowed the cyber espionage outfit to obtain privileged access to vCenter systems, is revealed in the most recent information provided by Mandiant. The attackers then turned their attention to ESXi hosts and started using malware like VIRTUALPITA and VIRTUALPIE.

Getting “vpxuser” credentials, connecting to hosts, and installing malware are all steps in the complex attack chain that ultimately lead to a direct link to compromised hosts. As revealed by Mandiant in June 2023, UNC3886 then takes advantage of a second vulnerability in VMware (CVE-2023-20867) to carry out arbitrary instructions and move files within the vulnerable ESXi host.

Long History of Exploitation

According to Mandiant’s findings, UNC3886 was able to access CVE-2023-34048 for a considerable amount of time, as evidenced by crashes that were seen as early as late in 2021. The assailant deliberately eliminated core dumps in order to mask their footprints, highlighting the team’s careful preparation and escape strategies. Exploiting vulnerabilities found in virtualization and firewall systems is consistent with UNC3886’s focus on the defense, government, telecom, and technology sectors in the APJ and the United States.

Multiple Use of the Fortinet Vulnerability

Mandiant discloses the group’s simultaneous use of a Fortinet zero-day (CVE-2022-41328) and the VMware campaign, highlighting UNC3886’s diverse strategy. The Castletap and Thincrust backdoors were installed on FortiGate firewall devices as part of this two-pronged attack. The attacks’ accuracy points to a thorough knowledge of the underlying hardware and FortiOS, suggesting that the Chinese cyber espionage operation had sophisticated skills.

Organizations utilizing VMware vCenter Server are highly encouraged to update to the most recent version as soon as possible, as cybersecurity threats continue to grow. The ongoing vulnerability exploitation by the UNC3886 group highlights the significance of proactive cybersecurity measures in protecting vital infrastructure.