Chinese threat group exploited VMware vulnerability in 2021

A critical VMware vulnerability that was patched in October was exploited in the wild two years ago by a China-nexus threat actor, according to new research from Mandiant.

On Oct. 25, VMware first disclosed an out-of-bounds write vulnerability tracked as CVE-2023-34048 and a partial information disclosure flaw assigned CVE-2023-34056 that affect vCenter Server. The vendor warned that exploitation of the former flaw, which received a CVSS score of 9.8, could allow an attacker to gain remote code execution on vulnerable machines. VMware credited Grigory Dorodnov, vulnerability researcher at Trend Micro's Zero Day Initiative, for reporting the issues.

On Wednesday, VMware updated the advisory with new information, warning customers that the out-of-bounds write vulnerability was under attack.

"VMware has confirmed that exploitation of CVE-2023-34048 has occurred in the wild," VMware wrote in the security advisory.

In a separate blog post Friday, Mandiant attributed exploitation of CVE-2023-34048 to a China-nexus espionage group it tracks as UNC3886. More alarmingly, the researchers, along with VMware Product Security, discovered exploitation dated back to late 2021. UNC3886 is known for leveraging zero-day vulnerabilities as part of its evasion techniques and for targeting technologies that do not typically have endpoint detection and response deployed.

One such zero-day flaw was CVE-2023-20867, an authentication bypass vulnerability in VMware Tools that affects the company's ESXi hypervisor. Mandiant discovered the flaw during an investigation into a novel malware family that targeted VMware products.

During an investigation into the threat actor's evasion techniques in those attacks, researchers found that backdoors had been deployed to compromised vCenter systems, but it took time to find the attack vector. In late 2023, Mandiant discovered evidence of CVE-2023-34048 exploitation in the service crash logs of affected vCenter systems.

"While publicly reported and patched in October 2023, Mandiant has observed these crashes across multiple UNC3886 cases between late 2021 and early 2022, leaving a window of roughly a year and a half that this attacker had access to this vulnerability," Mandiant researchers wrote in the blog post.

Mandiant said most of the environments with these types of crashes had log entries intact, but the VMware crash dumps themselves had been removed. "VMware's default configurations keep core dumps for an indefinite amount of time on the system, suggesting the core dumps were purposely removed by the attacker in an attempt to cover their tracks," the researchers wrote.

It's unclear whether the exploitation activity is ongoing or VMware's advisory update referred only to the past exploitation by UNC3886. TechTarget Editorial contacted VMware for comment, but the company has not responded at press time.

Security news director Rob Wright contributed to this article.

Arielle Waldman is a Boston-based reporter covering enterprise security news.