Researchers at Mandiant are more confident that a hacking campaign targeting VMWare ESXi hosts, vCenter servers and Windows virtual machines in late 2022 was conducted by a Chinese cyber espionage group.
The research is a follow-up to a September post where Mandiant said it observed an attacker leveraging legitimate MVware tools to send commands to Windows guest machines during an incident response investigation. But that post offered only a heavily qualified attribution, giving a low-confidence assessment that the group had a "nexus" to China.
Mandiant and Google Cloud senior threat researcher Rufus Brown, who is one of the authors of the research, told SC Media that the company has since discovered a number of additional links.
"We have observed significantly more activity since the last blog, including more targeting and overlaps with other Chinese activity,” said Brown.
In a June 13 blog post, four researchers at the company also detailed how the group it tracks as UNC3886 exploited a zero-day vulnerability (CVE-2023-20867) to gain privileged commands on Windows, Linux and PhotonOS (vCenter) guest virtual machines without authentication of guest credentials from a compromised ESXi host.
UNC3886 then deployed backdoors on ESXi hosts for lateral movement and continued persistence.
In a June 13 advisory, VMware described the VMware Tools authentication bypass vulnerability as low severity with a CVSSv3 base score of 3.9 since an attacker must have root access over ESXi to exploit the vulnerability. However, bug hunters caution that complex hacks often require many linked exploits, and a vulnerability's severity score is not always indicative of how useful it can be to an adversary.
Mandiant said it has identified additional attacker scripts since September that has enabled the group to obtain vpxuser credentials, enumerate ESXi hosts and their guest VMs, and manipulate ESXi host firewall rules.
The security firm also confirmed that the espionage group uses multiple backdoors using VMCI sockets for lateral movement and continued persistence. At a high level, Mandiant explained that “VMCI sockets are end points that enable low latency and high throughput communication between the ESXi host and its guest VMs over a channel localized on the bare metal machine running the ESXi host.”
The backdoors enable a new means of persistence to regain access and is attractive for an attacker because it allows them the ability to bypass network segmentation usually needed to access the ESXi host; circumvent most security reviews for open listening ports and odd NetFlow behavior; regaining access to the ESXi host only requires access to any virtual machine; among other benefits.
Continued investigation of the espionage group reinforces that UNC3886 has a “deep understanding and technical knowledge of ESXi, vCenter and VMware’s virtualization platform,” Mandiant researchers wrote.
While Mandiant continues to study the group, there are some signs that the threat actor may be learning from them as well. In the past, when they and other security firms have publicly shared atomic indicators of compromise like file names and hashes, UNC3886 has been observed replacing them in less than a week after they were released. For this reason, the authors said they have focused on providing insights into the "tactics and methodologies" of the group so that defenders can identify patterns of malicious behavior regardless of the malware or commands being leveraged.
“UNC3886 continues to present challenges to investigators by disabling and tampering with logging services, selectively removing log events related to their activity,” the researchers continued. “The threat actors’ retroactive cleanup performed within days of past public disclosures on their activity indicates how vigilant they are.”
Senior editor and reporter Derek B. Johnson contributed to this story.
