DailyPost 2676
VMWARE WEAPONIZED
If two areas in computer science endlessly in news, then one is cyber security. The other one as you would have guessed by now is Artificial Intelligence. There would barely be a product or a tool that has not been hacked by the bad actors. Their relentless efforts and perseverance, albeit for a wrong purpose, still is a tribute to human tenacity. The weaponization of VMware is latest on the list, as per the information in the public domain. Chinese hackers have silently weaponized VMware Zero Day flaw for two years. Even otherwise two years is a long time but given the nature of access Zero Day provides, it very difficult to fathom out the full damage.
This is the handiwork of an advanced China-nexus cyber espionage group. This group was previously linked to the exploitation of security flaws in VMware and Fortinet appliances. The said group now have abused a critical vulnerability in VMware vCenter Server as a zero-day since 2021. Mandiant reported on Friday that “UNC3886 has a track record of utilizing zero-day vulnerabilities to complete their mission without being detected, and this latest example demonstrates their capabilities.” The vulnerability in question is CVE-2023-34048.
This is an out-of-bounds write, which could be put to use by a malicious actor with network access to vCenter Server to achieve remote code execution. This zero-day is claimed to have been fixed on October 24, 2023. The leading virtualisation service provider last week accepted that “exploitation of CVE-2023-34048 has occurred in the wild.” UNC3886 came to light in Sept 2022 when it exploited unknown security flaws in VMware. The current findings of Mandiant speaks of nation-state actor targeting the said zero-day. This allowed it gain privileged access to the vCenter system ending up in installing VIRTUALPITA and VIRTUALPIE malware, “thereby enabling the adversary to directly connect to the hosts.”
Given the nature of danger and the likely damage, VMware vCenter users are recommended to update to the latest version. The hacks enumerated above are not the only one pertaining to these products/services. In recent years, UNC3886 has also taken the advantage of CVE-2022-41328. This is path traversal flaw in Fortinet FortiOS software. THINCRUST and CASTLEAP are deployed for exfiltrating sensitive data. The tech methodology indulged in is to single out firewall and virtualization technologies as they lack support for endpoint detection and response solutions. This helps them to keep operating in the target environments for long periods of time.
GOOD STATE ACTORS HAVE TO COME TOGETHER IF THEY WANT TO RESCUE THEMSELVES FROM RAMPANT CYBER INSECURITY.
Sanjay Sahay
Have a nice evening.