Chinese Spies Exploited Critical VMware Bug for Nearly 2 Years

Even the most careful VMware customers may need to go back and double check that they weren't compromised by a zero-day exploit for CVE-2023-34048.

3 Min Read
The VMware logo against a colorful background
Source: rafapress via Shutterstock

One of the most serious VMware vulnerabilities in recent memory was secretly being exploited by a Chinese advanced persistent threat (APT) for years before a patch became available.

It was all-hands-on-deck in October when news first broke of CVE-2023-34048, a 9.8 out of 10 "critical" CVSS-rated out-of-bounds write vulnerability affecting vCenter Server, VMware's centralized platform for managing virtual environments. In a sign of just how severe this particular issue was, VMware went so far as to extend patches for end-of-life versions of the product, as well.

In at least some cases, though, all that effort might have been too little, too late. In a Jan. 19 blog post, Mandiant revealed that a Chinese threat actor it tracks as UNC3886 was covertly exploiting CVE-2023-34048 as a zero-day since at least late 2021.

"The exploitation of CVE-2023-34048 reflects a deep technical acumen, indicating a high level of proficiency in identifying and leveraging complex vulnerabilities within widely used software like VMware," says Callie Guenther, senior manager of cyber threat research at Critical Start.

UNC3886's VMWare Exploit

UNC3886, which Mandiant describes as a China-nexus espionage group, is exactly the threat actor to pull off this kind of trick. Though relatively little is known of it, it has been outed for targeting VMware environments before.

Last year for example, Mandiant pieced together that the actor had been exploiting a different VMware zero-day: CVE-2023-20867. This was a less serious (CVSS 3.9 out of 10, "low" severity) authentication issue in VMware Tools, a set of tools for enhancing performance in guest virtual machines (VMs).

A crucial missing piece at the time was how UNC3886 was obtaining full compromise over ESXi hosts — a necessary prerequisite for taking advantage of this flaw.

That answer lay in the VMware service's crash logs. There, analysts discovered that the VMware Directory Service (VMDIRD) reliably crashed just minutes before the group deployed its backdoors, "VirtualPita" and "VirtualPie." These crashes were associated with the exploitation of CVE-2023-34048.

It appears that this first stage of the exploit chain is what afforded the attackers remote code-execution (RCE) capabilities in its targets' environments, whereupon they'd steal credentials, and use them to compromise ESXi hosts connected to compromised vCenter server. Then came the backdoors, then the CVE-2023-20867 exploit.

The canary crashes were observed across multiple UNC3886 attacks between late 2021 and early 2022.

"The long-term strategy employed by UNC3886 in exploiting vulnerabilities aligns with the broader modus operandi of Chinese state-sponsored cyber activities," Guenther notes. "China's cyber espionage efforts are often characterized by strategic patience, persistence, and a focus on long-term intelligence gathering. This approach is indicative of their wider geopolitical and economic objectives, where sustained cyber operations support broader state goals. In this context, UNC3886's activities fit neatly into the larger narrative of China's systematic and methodical approach to cyber espionage and intelligence."

The Bottom Line for VMware Customers

Organizations that patched back in October may now need to double check their work to make sure they weren't compromised in the zero-day period.

And despite the hubbub made over CVE-2023-34048, and VMware's efforts to patch as many devices as possible, "it's plausible that numerous organizations may still be running unpatched or outdated versions," Guenther thinks.

"This could be due to a range of factors including lack of resources, complexities in the IT infrastructure, compatibility issues, or simply oversight in patch management processes," she says, adding that "organizations often face challenges in rapidly deploying patches, especially in large or complex environments, leading to windows of vulnerability that threat actors like UNC3886 can exploit."

Those still at risk can find remediation information in VMware's original security advisory from October.

About the Author(s)

Nate Nelson, Contributing Writer

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights