An advanced cyber espionage group with ties to China, known as UNC3886, has been exploiting a critical zero-day vulnerability in VMware vCenter Server identified as CVE-2023-34048. This flaw, which allows for out-of-bounds writes and has a high severity score of 9.8, was patched by VMware on October 24, 2023, after being actively exploited since late 2021. Mandiant’s investigation revealed that UNC3886 used this vulnerability to gain privileged access, deploy malware such as VIRTUALPITA and VIRTUALPIE, and execute arbitrary commands on affected systems.
The group’s tactics involve retrieving credentials and installing malware to maintain access and control over the virtualized environments. Another VMware flaw, CVE-2023-20867, was also exploited to manipulate guest VMs from compromised hosts. UNC3886 has a history of targeting security appliances, previously exploiting a Fortinet FortiOS vulnerability, due to the lack of endpoint detection and response (EDR) capabilities in these technologies. VMware has urged users to update to the latest version to protect against these threats.
Read more at The Hacker News…