Mandiant and VMware Product Security found that the UNC3886 espionage group has been exploiting CVE-2023-34048 since late 2021, even though it was publicly reported and patched in October 2023.
Mandiant found new ways that UNC3886 uses to attack computer systems. They focus on technologies that don’t have EDR protection and use zero-day vulnerabilities to avoid detection. This shows their advanced capabilities.
By infosecbulletin
/ Friday , April 18 2025
Hackers can exploit a vulnerability in Asus routers to execute unauthorized functions. This serious issue, rated 9.2 out of 10,...
Read More
By infosecbulletin
/ Friday , April 18 2025
According to Shadowserver Foundation around 17,000 Fortinet devices worldwide have been compromised using a new technique called "symlink". This number...
Read More
By infosecbulletin
/ Friday , April 18 2025
A critical security flaw has been found in the Erlang/Open Telecom Platform (OTP) SSH implementation, allowing an attacker to run...
Read More
By infosecbulletin
/ Thursday , April 17 2025
On Wednesday, CISA alerted about increased breach risks due to the earlier compromise of legacy Oracle Cloud servers, emphasizing the...
Read More
By infosecbulletin
/ Thursday , April 17 2025
Cisco issued a security advisory about a serious vulnerability in its Webex App that allows unauthenticated remote code execution (RCE)...
Read More
By infosecbulletin
/ Thursday , April 17 2025
On Wednesday, Apple released urgent operating system updates to address two security vulnerabilities that had already been exploited in highly...
Read More
By infosecbulletin
/ Wednesday , April 16 2025
On April 15, 2025, Oracle released a Critical Patch Update for 378 flaws for its products. The patch update covers...
Read More
By infosecbulletin
/ Wednesday , April 16 2025
Check Point Research warns of the active exploitation of a new vulnerability, CVE-2025-24054, which lets hackers leak NTLMv2-SSP hashes using...
Read More
By infosecbulletin
/ Wednesday , April 16 2025
Bengaluru's Whiteboard Technologies Pvt Ltd was hit by a ransomware attack, with hackers demanding a ransom of up to $70,000...
Read More
By infosecbulletin
/ Wednesday , April 16 2025
MITRE Vice President Yosry Barsoum warned that U.S. government funding for the Common Vulnerabilities and Exposures (CVE) and Common Weakness...
Read More
When CVE-2023-20867 was discovered in VMware’s tools, a diagram (Figure 1) showed the path of attacker activity in the VMware ecosystem (vCenter, ESXi Hypervisors, Virtualized Guest Machines). Mandiant kept researching the deployment of backdoors to vCenter systems with the available evidence.
In late 2023, a pattern was noticed in affected vCenter systems that revealed how the attacker was getting initial access. The VMware service crash logs (/var/log/vMonCoredumper.log) showed the “vmdird” service crashing shortly before attacker backdoors were installed.
Both Mandiant and VMware Product Security analyzed the core dump of “vmdird”. They found that the process crash is related to the exploitation of CVE-2023-34048. This vulnerability, known as the out-of-bounds write vCenter vulnerability, was patched in October 2023. It allows unauthenticated remote command execution on vulnerable systems.
The crashes were seen in several UNC3886 cases from late 2021 to early 2022. This vulnerability was publicly reported and fixed in October 2023. The attacker had around a year and a half to exploit this vulnerability. In most cases, log entries were kept, but the “vmdird” core dumps were deleted. The attacker likely removed the core dumps to hide their actions.
Mandiant recommends VMware users to update to the latest version of vCenter 8.0U2 to fix a vulnerability mentioned in the VMware advisory.