January 22, 2024 at 06:12AM
Mandiant reports that a Chinese cyberespionage group exploited a zero-day vulnerability in VMware vCenter Server (CVE-2023-34048) since 2021. The flaw allows remote code execution and was actively exploited, with evidence suggesting a sophisticated China-linked group, UNC3886, as responsible. VMware released patches and urged customers to apply them promptly.
Key Takeaways from Meeting Notes:
1. A Chinese cyberespionage group, UNC3886, has been exploiting a zero-day vulnerability (CVE-2023-34048) in VMware vCenter Server since 2021.
2. The vulnerability is an out-of-bounds write bug in VMware’s implementation of the DCERPC protocol, with a CVSS score of 9.8, allowing attackers to execute arbitrary code remotely.
3. VMware released patches for the vulnerability in October and recently warned about in-the-wild exploitation.
4. Mandiant’s analysis indicates that UNC3886 utilized the vulnerability for over a year and a half without being detected, demonstrating their sophisticated capabilities.
5. The attackers’ exploitation of the vulnerability resulted in specific entries in VMware service crash logs, leading to the deployment of backdoors.
6. VMware has released patches for vCenter versions 8.0U2, 8.0U1, 7.0U3, 6.7U3, 6.5U3, and VCF 3.x, as well as for Async vCenter Server VCF 5.x and 4.x deployments, advising customers to apply them promptly.
7. It is crucial for VMware customers to apply the available patches to mitigate the risk posed by the vulnerability.
Please let me know if there’s anything else you’d like to add or modify.