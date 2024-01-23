#Dutch #Channel #Mandiant #VMware #close #zerodaylek #vCenter #Server

Mandiant reports: ‘Although publicly reported and patched in October 2023, Mandiant and VMware Product Security discovered that UNC3886, a highly sophisticated spy group with a Chinese nexus, was already exploiting CVE-2023-34048 in late 2021.

These findings come from Mandiant’s ongoing research into the new attack paths used by UNC3886, which has historically focused on technologies for which EDR cannot be deployed. UNC3886 has a track record of using zero-day vulnerabilities to complete their mission without being discovered, and this latest example further demonstrates their capabilities.

When addressing the discovery of CVE-2023-20867 in VMware’s tools, the attack path was presented in Figure 1, which describes the flow of attacker activity within the VMware ecosystem (i.e. vCenter, ESXi Hypervisors, virtualized guest machines). Based on the available evidence at the time, Mandiant continued to investigate how backdoors were deployed in vCenter systems.

In late 2023, a similarity was observed between the affected vCenter systems, which explained how the attacker gained initial access to the vCenter systems. In the crash logs of the VMware service, /var/log/vMonCoredumper.log, the following entries (Figure 2) show that the “vmdird” service crashes minutes before the attacker’s backdoors are deployed.

2022-01-01T01:31:55.361+00:00| | I125: FILE: FileCreateDirectoryEx: Cannot create /tmp. Error = 17

2022-01-01T01:31:55.362+00:00| | I125: FILE: FileCreateDirectoryEx: Cannot create /tmp/vmware-root. Error = 17

2022-01-01T01:31:55.419+00:00| | I125: Notify vMon of vmdird dump core. Pid: 1558

2022-01-01T01:31:55.421+00:00| | I125: VMon successfully reported.

2022-01-01T01:31:55.927+00:00| | I125: Core file generated.

Analysis of the core dump of “vmdird” by both Mandiant and VMware Product Security showed that the process hang is closely aligned with the exploitation of CVE-2023-34048, the out-of-bounds write vCenter vulnerability in the implementation of the DCE/RPC protocol patched in October 2023, allowing unauthenticated execution of remote commands on vulnerable systems.

Although it was publicly reported and patched in October 2023, Mandiant observed these crashes in multiple UNC3886 cases between late 2021 and early 2022, leaving a window of approximately a year and a half during which this attacker had access to this vulnerability. In most environments where these crashes were observed, the log data was retained, but the “vmdird” core dumps themselves were deleted. VMware’s default configurations keep core dumps on the system indefinitely, suggesting that the core dumps were deliberately deleted by the attacker in an attempt to cover their tracks.

As noted in the VMware advisory, this vulnerability has now been patched in vCenter 8.0U2 and Mandiant recommends that VMware users update to the latest version of vCenter to be aware of this vulnerability if they see exploits in the wild.”