A Chinese hacking group, UNC3886, has been actively exploiting a critical vCenter Server vulnerability (CVE-2023-34048) as a zero-day since late 2021, according to security firm Mandiant. Although the flaw was patched in October, Mandiant reveals that UNC3886 utilized it in a cyber espionage campaign exposed in June 2023. The hackers breached targets’ vCenter servers, deployed backdoors, and exploited another VMware flaw (CVE-2023-20867) to escalate privileges and exfiltrate files from guest VMs.
While VMware confirmed awareness of the CVE-2023-34048 in-the-wild exploitation, it did not provide additional details on the attacks. However, Mandiant disclosed that UNC3886 used the vulnerability as part of a previously reported campaign, targeting organizations in the defense, government, telecom, and technology sectors in the United States and the APJ region. The Chinese cyber espionage group favors zero-day security flaws in firewall and virtualization platforms lacking Endpoint Detection and Response (EDR) capabilities.
Mandiant noted that despite being publicly reported and patched in October 2023, UNC3886 had access to the CVE-2023-34048 vulnerability for roughly a year and a half, exploiting it across multiple cases between late 2021 and early 2022. The attackers strategically removed core dumps of the ‘vmdird’ service crash in an attempt to cover their tracks. UNC3886’s sophisticated tactics involve exploiting not only VMware vulnerabilities but also abusing a Fortinet zero-day (CVE-2022-41328) in the same campaign to compromise FortiGate firewall devices, showcasing their advanced capabilities and deep understanding of targeted systems.