Priya PatelIn a recent report, it has been found that Chinese nation-state actors have been exploiting a zero-day vulnerability in VMware’s vCenter Server since late 2021. The hackers have gained privileged access to the vCenter system by targeting servers through compromised credentials and installing backdoors on hosts.
The vulnerability, known as CVE-2023-34048, was patched by VMware in October 2023, but many users have not updated to the latest version, leaving several hundred vulnerable instances of VMware vCenter Servers exposed to the internet and at risk.
Chinese cyber espionage group UNC3886 has been identified as the threat actor behind the exploitation of this vulnerability. The hackers have used the bug to target vCenter servers and have set backdoors on ESXi hosts using compromised credentials. They have also used another vulnerability, CVE-2023-20867, to gain higher levels of privilege and exfiltrate files from guest virtual machines.
Mandiant, the cybersecurity firm that reported this exploitation, notes that the hackers primarily targeted platforms without Endpoint Detection and Response (EDR) capabilities. They have also exploited a Fortinet zero-day vulnerability to compromise firewall devices and install additional backdoors.
This incident highlights the growing role of nation-state actors in the cyber threat landscape and emphasizes the need for businesses and government entities to invest in and maintain strong security infrastructure.
