Skip links

Russians invade Microsoft exec mail while China jabs at VMware vCenter Server

A VMware security vulnerability has been exploited by Chinese cyberspies since late 2021, according to Mandiant, in what has been a busy week for nation-state espionage news.

On Friday VMware confirmed CVE-2023-34048, a critical out-of-bounds write flaw in vCenter Server, was under active exploitation. The bug, which received a 9.8-out-of-10 CVSS severity rating, was disclosed and patched in October. It can be abused to hijack a vulnerable server, if it can be reached over the internet or a network by miscreants.

“A malicious actor with network access to vCenter Server may trigger an out-of-bounds write potentially leading to remote code execution,” the virtualization giant noted last year.

VMware did not respond to The Register‘s inquires about the scale of the years-long exploitation nor who was behind the attacks. But in a separate report shared later on Friday, Google-owned Mandiant pointed the finger at UNC3886, a crew described as “a highly advanced China-nexus espionage group.”

This same team has targeted VMware products in the past to snoop on targets.

In June 2023, VMware fixed an authentication bypass vulnerability in VMware Tools that affected ESXi hypervisors — but not before UNC3886 had found and exploited the hole.

This PRC-linked gang also targeted VMware hypervisors to carry out espionage in 2022. Additionally, according to Mandiant, UNC3886 last year abused a critical Fortinet bug to deploy custom malware to steal credentials and maintain network access via compromised devices.

Mandiant is attributing intrusions via the vCenter Server hole to Beijing’s spies after spotting similarities between those attacks and the ones against VMware Tools in June 2023. In reviewing VMware crash logs, the network defenders noticed the vmdird service dying shortly before intruders deployed backdoors on a victim’s systems. The code would fail in the same way, whether it was vSphere or VMware Tools being exploited, leading Mandiant to believe it’s the same group behind the attacks, based on the modus operandi.

“While publicly reported and patched in October 2023, Mandiant has observed these crashes across multiple UNC3886 cases between late 2021 and early 2022, leaving a window of roughly a year and a half that this attacker had access to this vulnerability,” Mandiant noted on Friday.

The threat hunters said fewer than 10 known organizations were compromised via the vSphere hole, though declined to say which industries the snoops were targeting in these attacks.

Speaking of China…

Also on Friday the US government’s CISA issued an emergency directive requiring federal agencies to apply mitigations to Ivanti Connect Secure devices “as soon as possible and no later than 2359 EST on Monday, January 22.”

Ivanti disclosed, and issued mitigations for two zero-days, on January 10, and since then security researchers have warned that at least 1,700 devices have been compromised via the bugs, likely by Chinese nation-state attackers.

In a call with reporters on Friday, CISA Executive Assistant Director Eric Goldstein said about 15 federal agencies had the flawed Ivanti VPN servers in use, though noted they have already apparently applied the mitigations. 

“We are not assessing a significant threat to the federal enterprise, but we know that risk is not zero,” he said. 

While the US government has not attributed the exploits to a PRC-linked crew, Goldstein said the Feds have a “persistent concern” about China-backed criminals targeting government networks and these types of devices.

“At this time, we do not have any evidence to suggest that PRC actors have used these vulnerabilities to exploit federal agencies,” Goldstein said. 

Later, he added: “Exploitation of these products would be consistent with what we have seen from PRC actors like Volt Typhoon in the past.” ®