Mandiant and VMware recently uncovered a sophisticated cyber espionage campaign. The attackers, a Chinese group identified as UNC3886, leveraged a known vulnerability in VMware software (CVE-2023-34048) to maintain access to the targeted systems for over a year.
This case highlights the importance of staying vigilant against persistent and evolving cyber threats.
Mandiant’s investigation revealed that UNC3886 employed advanced techniques to target vulnerable areas of technology that are beyond the reach of antivirus software.
This discovery underscores the need for a multi-layered security approach that goes beyond traditional antivirus measures.
Mandiant persisted with its investigation, with a specific focus on identifying the techniques utilized for deploying backdoors into vCenter systems.
Prevent malware from infecting your network at the delivery stage by intercepting malicious files in transit from their source to the target device’s web browser..
As per the analysis conducted by Mandiant, the crash of the “vmdird” process of VMware was found to be significantly linked to the exploitation of a specific vulnerability, namely CVE-2023-34048.
Though patched, Mandiant found evidence of these crashes in UNC3886 attacks between late 2021 and early 2022.
“Most environments where these crashes were observed had log entries preserved, but the “vmdird” core dumps were removed,” reads the report.
This means the attackers had access to the vulnerability for over a year and a half before it was fixed.
This vulnerability, fixed in October 2023, allowed attackers to execute commands without authentication remotely.
Mandiant strongly recommends that all VMware users update to the latest version of vCenter to mitigate this risk.