Tuesday, February 27, 2024

Chinese Hackers Exploiting VMware 0-Day Flaw Since 2021

Mandiant and VMware recently uncovered a sophisticated cyber espionage campaign. The attackers, a Chinese group identified as UNC3886, leveraged a known vulnerability in VMware software (CVE-2023-34048) to maintain access to the targeted systems for over a year.

This case highlights the importance of staying vigilant against persistent and evolving cyber threats.

Mandiant’s investigation revealed that UNC3886 employed advanced techniques to target vulnerable areas of technology that are beyond the reach of antivirus software.

This discovery underscores the need for a multi-layered security approach that goes beyond traditional antivirus measures.

attack path
VMWare 0 day Flaw

Mandiant persisted with its investigation, with a specific focus on identifying the techniques utilized for deploying backdoors into vCenter systems.

Document
Protect Your Network From Data Breach

Perimeter’s 81 Malware Protection for Network Based Threats

Prevent malware from infecting your network at the delivery stage by intercepting malicious files in transit from their source to the target device’s web browser..

As per the analysis conducted by Mandiant, the crash of the “vmdird” process of VMware was found to be significantly linked to the exploitation of a specific vulnerability, namely CVE-2023-34048.

Though patched, Mandiant found evidence of these crashes in UNC3886 attacks between late 2021 and early 2022.

“Most environments where these crashes were observed had log entries preserved, but the “vmdird” core dumps were removed,” reads the report.

This means the attackers had access to the vulnerability for over a year and a half before it was fixed.

This vulnerability, fixed in October 2023, allowed attackers to execute commands without authentication remotely.

Mandiant strongly recommends that all VMware users update to the latest version of vCenter to mitigate this risk.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Website

Latest articles

Zyxel Firewall Flaw Let Attackers Execute Remote Code

Four new vulnerabilities have been discovered in some of the Zyxel Firewall and access...

Hackers Abuse Telegram API To Exfiltrate User Information

Attackers have been using keywords like "remittance" and "receipts" to spread phishing scripts using...

ThreatHunter.ai Stops Hundreds of Attacks in 48 Hours: Fighting Ransomware and Nation-State Cyber Threats

The current large surge in cyber threats has left many organizations grappling for security...

WordPress Plugin Flaw Exposes 200,000+ Websites for Hacking

A critical security flaw has been identified in the Ultimate Member plugin for WordPress,...

Hackers Actively Hijacking ConnectWise ScreenConnect server

ConnectWise, a prominent software company, issued an urgent security bulletin on February 19, 2024,...

Heavily Obfuscated PIKABOT Evades EDR Protection

PIKABOT is a polymorphic malware that constantly modifies its code, making it hard to...

Anonymous Sudan Promoting New DDoS Botnet: Beware

It has come to light that a group known as Anonymous Sudan is actively...
Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Live Account Takeover Attack Simulation

Live Account Take Over Attack

Live Webinar on How do hackers bypass 2FA ,Detecting ATO attacks, A demo of credential stuffing, brute force and session jacking-based ATO attacks, Identifying attacks with behaviour-based analysis and Building custom protection for applications and APIs.

Related Articles