While publicly reported and patched in October 2023, Mandiant and VMware Product Security have found UNC3886, a highly advanced China-nexus espionage group, has been exploiting CVE-2023-34048 as far back as late 2021.
These findings stem from Mandiant’s continued research of the novel attack paths used by UNC3886, which historically focuses on technologies that are unable to have EDR deployed to them. UNC3886 has a track record of utilizing zero-day vulnerabilities to complete their mission without being detected, and this latest example further demonstrates their capabilities.
When covering the discovery of CVE-2023-20867 in VMware’s tools, the attack path in Figure 1 was presented describing the flow of attacker activity within the VMware ecosystem (i.e. vCenter, ESXi Hypervisors, Virtualized Guest Machines). At the time, with the evidence available, Mandiant continued researching how backdoors were being deployed to vCenter systems...read more!
