Prolonged exploitation of VMware zero-day conducted by Chinese hackers

Attacks exploiting a critical out-of-bounds write zero-day vulnerability in VMware Center Server, tracked as CVE-2023-34048, have been deployed by Chinese cyberespionage operation UNC3886 since 2021, two years before the flaw was identified and addressed, reports The Hacker News. UNC3886 leveraged the flaw to obtain vCenter system privileges and facilitate ESXi host and virtual machine enumeration to inject the VIRTUALPIE and VIRTUALPITA malware, a report from Mandiant revealed. Another VMware vulnerability, tracked as CVE-2023-20867, was also used as part of the attack chain to allow arbitrary command execution and file transfers from compromised ESXi hosts to guest VMs "UNC3886 has a track record of utilizing zero-day vulnerabilities to complete their mission without being detected, and this latest example further demonstrates their capabilities," said Mandiant. Such exploitation comes after the cyberespionage group was reported to have used a Fortinet FortiOS path traversal flaw, tracked as CVE-2022-41328, to distribute CASTLETAP and THINCRUST malware.