January 19, 2024 at 11:38AM
Summary:
A Chinese hacking group exploited a vCenter Server vulnerability (CVE-2023-34048) as a zero-day since late 2021, using it to breach targets’ servers, escalate privileges, and exfiltrate files. The group, UNC3886, also targeted Fortinet firewall devices with a zero-day. Its preferred targets include defense, government, telecom, and tech sectors in the US and APJ region.
Key Takeaways from Meeting Notes:
– A Chinese hacking group, UNC3886, has been exploiting a critical vCenter Server vulnerability (CVE-2023-34048) as a zero-day since at least late 2021.
– The vulnerability was used to breach targets’ vCenter servers and deploy backdoors on ESXi hosts, as well as escalate privileges, harvest files, and exfiltrate them from guest VMs.
– Mandiant has observed crashes related to UNC3886 across multiple cases between late 2021 and early 2022, indicating a window of roughly a year and a half that the attacker had access to the vulnerability.
– UNC3886 focuses on organizations in the defense, government, telecom, and technology sectors in the United States and the APJ region.
– The group targets zero-day security flaws in firewall and virtualization platforms that don’t have EDR capabilities.
– In addition to exploiting the vCenter Server vulnerability, UNC3886 also abused a Fortinet zero-day (CVE-2022-41328) to compromise FortiGate firewall devices and install previously unknown backdoors.
– The attack is highly targeted, hinting at preferred governmental or government-related targets and the actor’s advanced capabilities.
Let me know if there is anything else you need from these notes.