Tuesday , February 27 2024
vmware

Mandiant report
“Group UNC3886” exploiting VMware bug since late 2021

Mandiant and VMware Product Security found that the UNC3886 espionage group has been exploiting CVE-2023-34048 since late 2021, even though it was publicly reported and patched in October 2023.

Mandiant found new ways that UNC3886 uses to attack computer systems. They focus on technologies that don’t have EDR protection and use zero-day vulnerabilities to avoid detection. This shows their advanced capabilities.

CISA Issues Alert on APT29’s Cloud Infiltration Tactics

CISA and the UK's NCSC released a joint advisory about new tactics of Russian Foreign Intelligence Service (SVR) cyber actors....
Read More
CISA Issues Alert on APT29’s Cloud Infiltration Tactics

Bangladesh to form ‘Cyber Police Unit’: PM Sheikh Hasina

The Prime Minister of Bangladesh Sheikh Hasina has announced to form ‘Cyber Police Unit’, a separate unit to combat cyber...
Read More
Bangladesh to form ‘Cyber Police Unit’: PM Sheikh Hasina

Alert – Critical SQLi Vulnerability Threatens 200K+ Websites

A critical security vulnerability has been revealed in the widely used WordPress plugin called Ultimate Member, which is installed on...
Read More
Alert – Critical SQLi Vulnerability Threatens 200K+ Websites

Chainalysis Report
$100 million in crypto payments to Myanmar scam syndicate

Investigators found that two cryptocurrency addresses linked to a company in Myanmar received nearly $100 million in deposits in less...
Read More
Chainalysis Report  $100 million in crypto payments to Myanmar scam syndicate

Microsoft released PyRIT, A Tool For Generative AI Systems

Microsoft has released a new open automation framework called PyRIT (Python Risk Identification Toolkit). It helps security professionals and machine...
Read More
Microsoft released PyRIT, A Tool For Generative AI Systems

NCSA organized a seminar on ‘Safe Internet Usage’ in Rangpur

The National Cyber Security Agency  (NCSA) rganized a seminar on 'Safe Internet Usage' at Rangpur District Shilpakala Academy Auditorium. Over...
Read More
NCSA organized a seminar on ‘Safe Internet Usage’ in Rangpur

LockBit new .onion address
LockBit returns; new five victims disclosed

LockBit restarted their ransomware operation on a new infrastructure after law enforcement disrupted their servers. Now, they threat to target...
Read More
LockBit new .onion address  LockBit returns; new five victims disclosed

Cyberattack halts Malawi Immigration Dept. Passport Services

The government of Malawi has stopped giving out passports after a cyber-attack on the immigration service's computer network. President Chakwera...
Read More
Cyberattack halts Malawi Immigration Dept. Passport Services

LockBit Reestablishes Dark Web Leak Site: Report

The LockBit ransomware group reactivated a hidden website on the dark web. They posted a long message written by their...
Read More
LockBit Reestablishes Dark Web Leak Site: Report

0/1 click Facebook account takeover; Nepalis talent rewarded

eta ranked Nepal's cyber security researcher Samip Aryal first in the White Hack (Hall of Fame) for finding a vulnerability...
Read More
0/1 click Facebook account takeover; Nepalis talent rewarded

When CVE-2023-20867 was discovered in VMware’s tools, a diagram (Figure 1) showed the path of attacker activity in the VMware ecosystem (vCenter, ESXi Hypervisors, Virtualized Guest Machines). Mandiant kept researching the deployment of backdoors to vCenter systems with the available evidence.

In late 2023, a pattern was noticed in affected vCenter systems that revealed how the attacker was getting initial access. The VMware service crash logs (/var/log/vMonCoredumper.log) showed the “vmdird” service crashing shortly before attacker backdoors were installed.

Both Mandiant and VMware Product Security analyzed the core dump of “vmdird”. They found that the process crash is related to the exploitation of CVE-2023-34048. This vulnerability, known as the out-of-bounds write vCenter vulnerability, was patched in October 2023. It allows unauthenticated remote command execution on vulnerable systems.

The crashes were seen in several UNC3886 cases from late 2021 to early 2022. This vulnerability was publicly reported and fixed in October 2023. The attacker had around a year and a half to exploit this vulnerability. In most cases, log entries were kept, but the “vmdird” core dumps were deleted. The attacker likely removed the core dumps to hide their actions.

Mandiant recommends VMware users to update to the latest version of vCenter 8.0U2 to fix a vulnerability mentioned in the VMware advisory.

Check Also

Cyberattack halts Malawi Immigration Dept. Passport Services

The government of Malawi has stopped giving out passports after a cyber-attack on the immigration …

Leave a Reply

Your email address will not be published. Required fields are marked *