CVE-2023-34048: Inside the Zero-Day Vulnerability Exploited by UNC3886

A cybercriminal group linked to China, known as UNC3886, has clandestinely exploited a critical zero-day vulnerability in the VMware vCenter Server management system since late 2021. This revelation was disclosed in a recent report by Mandiant.

The vulnerability, designated CVE-2023-34048 and rated 9.8 on the CVSS scale, involves an out-of-bounds write error that allows an attacker with network access to the vCenter Server to remotely execute code. On October 24, 2023, shortly after the vulnerability was identified, it was rectified by Broadcom.

At the beginning of the week, VMware updated its remediation guidance for this vulnerability, confirming that CVE-2023-34048 had been exploited in real-world conditions.

UNC3886 first garnered attention in September 2022, when it was discovered that the group was leveraging previously unknown vulnerabilities in VMware to implant backdoors in Windows and Linux systems. The malware disseminated included, among others, the VirtualPita and VirtualPie programs.

Recent information from Mandiant indicates that the zero-day vulnerability exploited by the Chinese hackers UNC3886 in their attacks on VMware was indeed CVE-2023-34048. The exploitation allowed the perpetrators to gain privileged access to the vCenter system, and enumerate all ESXi hosts and connected virtual machines.

Subsequently, the attackers accessed the “vpxuser” account credentials in plaintext and used them to install malicious software, enabling direct connections to the hosts.

This sequence of actions, in turn, paved the way for the exploitation of another VMware vulnerability, CVE-2023-20867 (CVSS score: 3.9), allowing the execution of arbitrary commands and the transfer of files between virtual machines and the compromised ESXi host, as reported by Mandiant in June 2023.

VMware vCenter Server users are strongly advised to update to the latest software version as soon as possible to mitigate any potential threats.

In recent years, UNC3886 has also frequently exploited the vulnerability CVE-2022-41328 (CVSS score: 6.5) in Fortinet FortiOS software to deploy the THINCRUST and CASTLETAP tools, enabling the execution of arbitrary commands from a remote server and the exfiltration of confidential data.

These attacks are particularly perilous for firewall and virtualization technologies, as they often lack EDR solutions, allowing attackers to remain within target environments for extended periods.