Mandiant and VMware Product Security found that the UNC3886 espionage group has been exploiting CVE-2023-34048 since late 2021, even though it was publicly reported and patched in October 2023.
Mandiant found new ways that UNC3886 uses to attack computer systems. They focus on technologies that don’t have EDR protection and use zero-day vulnerabilities to avoid detection. This shows their advanced capabilities.
By infosecbulletin
/ Saturday , March 29 2025
The Federal Bureau of Investigation (FBI) is probing the cyberattack at Oracle (ORCL.N), opens new tab that has led to...
Read More
By infosecbulletin
/ Thursday , March 27 2025
OpenAI has increased its maximum bug bounty payout to $100,000, up from $20,000, to encourage the discovery of critical vulnerabilities...
Read More
By infosecbulletin
/ Thursday , March 27 2025
Splunk has released a security advisory about critical vulnerabilities in Splunk Enterprise and Splunk Cloud Platform. These issues could lead...
Read More
By infosecbulletin
/ Thursday , March 27 2025
As the Eid holidays near, cybercriminals may try to take advantage of weakened security during this time. The CTI unit...
Read More
By infosecbulletin
/ Wednesday , March 26 2025
Operations at Kuala Lumpur International Airport (KLIA) were unaffected by a cyber attack in which hackers demanded US$10 million (S$13.4...
Read More
By infosecbulletin
/ Wednesday , March 26 2025
Unofficial patches are available for a new Windows zero-day vulnerability that allows remote attackers to steal NTLM credentials by deceiving...
Read More
By infosecbulletin
/ Wednesday , March 26 2025
On Tuesday, VMware issued an urgent fix for a security flaw in its VMware Tools for Windows. CVE-2025-22230 allows a...
Read More
By infosecbulletin
/ Tuesday , March 25 2025
Kubernetes users of the Ingress NGINX Controller are advised to fix four newly found remote code execution ( RCE) vulnerabilities,...
Read More
By infosecbulletin
/ Tuesday , March 25 2025
Next.js, a widely used React framework for building full-stack web applications, has fixed a serious security vulnerability. Used by many...
Read More
By infosecbulletin
/ Sunday , March 23 2025
A hacker known as “rose87168” claims to have stolen six million records from Oracle Cloud servers. The stolen data includes...
Read More
When CVE-2023-20867 was discovered in VMware’s tools, a diagram (Figure 1) showed the path of attacker activity in the VMware ecosystem (vCenter, ESXi Hypervisors, Virtualized Guest Machines). Mandiant kept researching the deployment of backdoors to vCenter systems with the available evidence.
In late 2023, a pattern was noticed in affected vCenter systems that revealed how the attacker was getting initial access. The VMware service crash logs (/var/log/vMonCoredumper.log) showed the “vmdird” service crashing shortly before attacker backdoors were installed.
Both Mandiant and VMware Product Security analyzed the core dump of “vmdird”. They found that the process crash is related to the exploitation of CVE-2023-34048. This vulnerability, known as the out-of-bounds write vCenter vulnerability, was patched in October 2023. It allows unauthenticated remote command execution on vulnerable systems.
The crashes were seen in several UNC3886 cases from late 2021 to early 2022. This vulnerability was publicly reported and fixed in October 2023. The attacker had around a year and a half to exploit this vulnerability. In most cases, log entries were kept, but the “vmdird” core dumps were deleted. The attacker likely removed the core dumps to hide their actions.
Mandiant recommends VMware users to update to the latest version of vCenter 8.0U2 to fix a vulnerability mentioned in the VMware advisory.