VMware today patched a VMware ESXi zero-day vulnerability exploited by a Chinese-sponsored hacking group to hijack Windows and Linux virtual machines and steal data.

The cyber espionage group, tracked under the number UNC3886 by the cybersecurity firm Mandiant which uncovered the attacks, abused the CVE-2023-20867 VMware Tools Authentication Bypass Flaw for deploy VirtualPita and VirtualPie backdoors on guest VMs from compromised ESXi hosts where they escalated privileges to root.

“A fully compromised ESXi host can force VMware Tools to not authenticate host-guest operations, impacting the privacy and integrity of the guest virtual machine,” VMware said in the security advisory. Today.

The attackers installed the backdoor malware using maliciously crafted vSphere Installation Bundles (VIBs), packages designed to help administrators create and manage ESXi images.

A third malware strain (VirtualGate) that Mandiant spotted during the investigation acted as a memory-only dropper that de-obfuscated second-stage DLL payloads on hacked virtual machines.

“This open communication channel between guest and host, where either role can act as client or server, has enabled a new way of persistence to regain access on a host ESXi with a backdoor as long as a backdoor is deployed and the attacker gains initial access to any guest computer,” Mandiant said.

“This [..] further builds in-depth understanding and technical knowledge of UNC3886, ESXi, vCenter, and VMware’s virtualization platform. UNC3886 continues to target devices and platforms that traditionally lack EDR solutions and use zero-day exploits on these platforms. »

​In March, Mandiant also revealed that Chinese UNC3886 hackers abused a zero-day vulnerability (CVE-2022-41328) in the same mid-2022 campaign to compromise FortiGate firewall devices and deploy previously unknown Castletap and Thincrust backdoors.

They used the access gained after hacking Fortinet devices and gaining persistence on FortiManager and FortiAnalyzer devices to move laterally through the victims’ network.

In the next step, they hijacked ESXi and vCenter machines using VirtualPita and VirtualPie malware to ensure that their malicious activities go undetected.

“The attack is highly targeted, with some hints of preferred government or government-related targets,” Fortinet said.

“The exploit requires a deep understanding of FortiOS and the underlying hardware. The custom implants show the actor has advanced capabilities, including reverse engineering various parts of FortiOS.”

This cyber espionage group is known to focus its attacks on organizations in the defense, government, telecommunications and technology sectors in the United States and PAJ regions.

Their favorite targets are zero-day vulnerabilities in firewall and virtualization platforms that lack endpoint detection and response (EDR) capabilities.

According to Mandiant, UNC3886’s use of a wide range of new malware families and malicious tools specifically tailored to the platforms they target suggests substantial research capabilities and an uncommon ability to understand the complex technology used by the targeted devices.

“It is a continuation of Chinese espionage that has been going on for years. This craft is very clever and difficult to detect. says BleepingComputer.

“They have successfully compromised defense, technology and telecommunications organizations with mature security programs in place.”