Evidence suggests that a Chinese cyberespionage group had been exploiting a recent VMware vCenter Server vulnerability as a zero-day since 2021, Mandiant reports.
The flaw, tracked as CVE-2023-34048 (CVSS score of 9.8), is an out-of-bounds write bug in VMware’s implementation of the DCERPC protocol that could allow an attacker with network access to execute arbitrary code remotely.
VMware released patches for the vulnerability in October, noting that, due to the severity of the bug and the lack of workarounds, it had decided to make the fix available for product versions that reached end-of-life (EoL) status as well.
Last week, the virtualization technology company updated its advisory to warn that it was aware of in-the-wild exploitation of CVE-2023-34048, without providing specific information on the observed attacks.
On Friday, cybersecurity firm Mandiant, which is part of Google Cloud, revealed that the exploitation of CVE-2023-34048 likely started a year and a half ago, and that a sophisticated China-linked espionage group tracked as UNC3886 is responsible for it.
“UNC3886 has a track record of utilizing zero-day vulnerabilities to complete their mission without being detected, and this latest example further demonstrates their capabilities,” the cybersecurity firm said.
Mandiant’s analysis of the attack path exploiting CVE-2023-20867 revealed the presence of specific entries in the VMware service crash logs, showing that the ‘vmdird’ service would crash shortly before the attacker backdoors were deployed.
“Analysis of the core dump of vmdird by both Mandiant and VMware Product Security showed that the process crashing is closely aligned with the exploitation of CVE-2023-34048,” Mandiant noted.
The same crashes, Mandiant pointed out, were observed across multiple UNC3886 intrusions starting late 2021, “leaving a window of roughly a year and a half that this attacker had access to this vulnerability”.
The cybersecurity firm also observed that the attackers removed the ‘vmdird’ core dumps from the compromised environments, to cover their tracks, albeit the log entries were preserved.
VMware patched the vulnerability in vCenter version 8.0U2 and made the fixes available for vCenter Server versions 8.0U1, 7.0U3, 6.7U3, 6.5U3, and VCF 3.x, as well as for Async vCenter Server VCF 5.x and 4.x deployments.
VMware customers are advised to apply the available patches as soon as possible.
Related: VMware Urges Customers to Patch Critical Aria Automation Vulnerability
Related: Critical Authentication Bypass Flaw in VMware Cloud Director Appliance
Related: Exploit Code Published for Critical-Severity VMware Security Defect
