Mandiant and VMware Product Security found that the UNC3886 espionage group has been exploiting CVE-2023-34048 since late 2021, even though it was publicly reported and patched in October 2023.
Mandiant found new ways that UNC3886 uses to attack computer systems. They focus on technologies that don’t have EDR protection and use zero-day vulnerabilities to avoid detection. This shows their advanced capabilities.
By infosecbulletin
/ Saturday , July 27 2024
India’s Communications Minister Chandra Sekhar Pemmasani confirmed a breach at the state-owned telecom operator BSNL on May 20 during a...
Read More
By infosecbulletin
/ Saturday , July 27 2024
Malware based threats increased by 30% in the first half of 2024 compared to the same period in 2023, according...
Read More
By infosecbulletin
/ Friday , July 26 2024
A new critical vulnerability in the Domain Name System (DNS) has been found. This vulnerability allows a specialized attack called...
Read More
By infosecbulletin
/ Friday , July 26 2024
A serious vulnerability, CVE-2023-45249 (CVSS 9.8), has been found in Acronis Cyber Infrastructure (ACI), a widely used software-defined infrastructure solution...
Read More
By infosecbulletin
/ Friday , July 26 2024
OpenAI is testing a new search engine "SearchGPT" using generative artificial intelligence to challenge Google's dominance in the online search...
Read More
By infosecbulletin
/ Thursday , July 25 2024
CISA released two advisories about security issues for Industrial Control Systems (ICS) on July 25, 2024. These advisories offer important...
Read More
By infosecbulletin
/ Thursday , July 25 2024
Tenable security researchers found a vulnerability in Google Cloud Platform's Cloud Functions service that could allow an attacker to access...
Read More
By infosecbulletin
/ Thursday , July 25 2024
BDG e-GOV CIRT's Cyber Threat Intelligence Unit has noticed a concerning increase in cyber-attacks against web applications and database servers...
Read More
By infosecbulletin
/ Thursday , July 25 2024
GitLab released a security update today to fix six vulnerabilities in its software. Although none of the flaws are critical,...
Read More
By infosecbulletin
/ Thursday , July 25 2024
Sekoia.io and Intrinsec analyzed the Quad7 (7777) botnet, which uses TCP port 7777 on infected routers to carry out brute-force...
Read More
When CVE-2023-20867 was discovered in VMware’s tools, a diagram (Figure 1) showed the path of attacker activity in the VMware ecosystem (vCenter, ESXi Hypervisors, Virtualized Guest Machines). Mandiant kept researching the deployment of backdoors to vCenter systems with the available evidence.
In late 2023, a pattern was noticed in affected vCenter systems that revealed how the attacker was getting initial access. The VMware service crash logs (/var/log/vMonCoredumper.log) showed the “vmdird” service crashing shortly before attacker backdoors were installed.
Both Mandiant and VMware Product Security analyzed the core dump of “vmdird”. They found that the process crash is related to the exploitation of CVE-2023-34048. This vulnerability, known as the out-of-bounds write vCenter vulnerability, was patched in October 2023. It allows unauthenticated remote command execution on vulnerable systems.
The crashes were seen in several UNC3886 cases from late 2021 to early 2022. This vulnerability was publicly reported and fixed in October 2023. The attacker had around a year and a half to exploit this vulnerability. In most cases, log entries were kept, but the “vmdird” core dumps were deleted. The attacker likely removed the core dumps to hide their actions.
Mandiant recommends VMware users to update to the latest version of vCenter 8.0U2 to fix a vulnerability mentioned in the VMware advisory.