Company VMware released a security update to fix a vulnerability in its hypervisor ESXiwhich was actively used by a Chinese hacker group to hack into virtual machines Windows And linux for the purpose of stealing data.

Reportedly researchers Mandiantwho discovered these attacks, a cybercriminal group known by the code name UNC3886abused a zero-day vulnerability CVE-2023-20867 V VMware Tools, which allows you to bypass authentication between the hypervisor and guest virtual machines. Thus, the attackers deployed hidden VirtualPita and VirtualPie backdoors on infected virtual machines and obtained superuser privileges.

“A fully compromised ESXi host can result in VMware Tools being unable to authenticate transactions between the host and guest VM, compromising the privacy and integrity of the guest VM,” reads official recommendation for VMware security.

The attackers installed malware using specially crafted vSphere Installation Bundles (VIBs) designed to create and maintain ESXi images.

Another type of malware, VirtualGate, which Mandiant noticed during its investigation, acted as a dropper that decrypted DLL-files of the second stage of infection on captured virtual machines.

“This open communication channel between guest and host systems, where either of them can act as a client or server, allows you to create a new way to maintain access to a fake ESXi host until a full-fledged backdoor is deployed and an attacker gains access to any guest machine,” says Mandiant.

“This once again confirms the deep understanding and technical knowledge of ESXi, vCenter and the VMware virtualization platform on the part of the UNC3886 hackers. The grouping continues to attack devices and platforms that traditionally do not have EDRsolutions and use zero-day exploits on these platforms,” the experts added.

In March, Mandiant also reported that the same Chinese cybercriminals UNC3886 used a different vulnerability day zero ( CVE-2022-41328 ) in a similar campaign since mid-2022 to compromise FortiGate firewall devices and deploy previously unknown Castletap and Thincrust backdoors. The attackers used access gained after hacking into Fortinet devices and persistence on FortiManager and FortiAnalyzer devices to traverse horizontally through the victim network.

According to Mandiant, UNC3886’s use of a wide range of new families of malware and malicious tools specifically tailored to the platforms under attack demonstrates the significant capabilities of hackers and a clear understanding of the complex technologies used on target devices.