Chinese hackers, associated with cyber espionage and previously linked to exploiting security flaws in VMware and Fortinet appliances, have been identified as silently weaponizing a zero-day vulnerability in VMware vCenter Server since late 2021, according to a report by Mandiant, a cybersecurity firm owned by Google. The group, known as UNC3886, has a history of leveraging zero-day vulnerabilities to avoid detection, showcasing their advanced capabilities.
The specific vulnerability in question is CVE-2023-34048, an out-of-bounds write with a CVSS score of 9.8, allowing malicious actors with network access to vCenter Server to achieve remote code execution. VMware addressed this critical flaw on October 24, 2023, acknowledging its exploitation in the wild.
UNC3886 first gained attention in September 2022 for exploiting previously unknown security flaws in VMware, deploying malware families like VIRTUALPITA and VIRTUALPIE to backdoor Windows and Linux systems.
Mandiant's recent findings reveal that UNC3886 utilized the CVE-2023-34048 zero-day to gain privileged access to the vCenter system, enumerate ESXi hosts, and install malware. The attack progressed by obtaining "vpxuser" credentials, connecting to hosts, and installing malware to enable direct access.
This incident follows a pattern where UNC3886 exploits vulnerabilities, such as CVE-2023-20867, disclosed in June 2023, to execute arbitrary commands and transfer files to and from guest VMs from a compromised ESXi host. VMware vCenter Server users are advised to update to the latest version to mitigate potential threats.
UNC3886 has also targeted Fortinet FortiOS software, exploiting CVE-2022-41328, to deploy THINCRUST and CASTLETAP implants for executing arbitrary commands and exfiltrating sensitive data. The group focuses on firewall and virtualization technologies due to their lack of support for endpoint detection and response (EDR) solutions, allowing them to persist within target environments for extended periods.
ivanti
cve-2023-34048
ivanti vulnerability
cve meaning
vcenter build numbers
which issue can arise from security updates and patches?
ebba has received a new initiative for her security team to perform an in-house penetration test. what is the first step that ebba should undertake?
cve-2023-35082
which of the following is a configuration vulnerability?
which of the following testing strategies will be performed by a gradual process of gaining access to a network component, infrastructure, or an application layer to minimize detection?
opsec is a cycle that involves all of the following except
vmware vcenter
which of the following is a common social engineering attack?
lykke's supervisor is evaluating whether to use internal security employees to conduct a penetration test. lykke does not consider this a good idea and has created a memo with several reasons they should not be used. which of the following would not be part of that memo?
which of the following items would be implemented at the data layer of the security model?
which kind of malware provides an attacker with administrative control over a target computer through a backdoor?
threat actors focused on financial gain often attack which of the following main target categories?
tuva's supervisor wants to share a recent audit outside the organization. tuva warns him that this type of audit can only be read by those within the organization. what audit does tuva's supervisor want to distribute?
which of the following items would you secure in the perimeter layer of the security model?
which of the following is not an advantage of crowdsourced penetration testing?
an employee stealing company data could be an example of which kind of threat actor?
a collection of zombie computers have been set up to collect personal information. which type of malware do the zombie computers represent?
which of the following is an attack vector used by threat actors to penetrate a system?
which of the following types of platforms is known for its vulnerabilities due to age?
what is a zero day vulnerability
