Mandiant Uncovers China-Linked Cyberattack Campaign

China Linked APT UNC3886 exploited VMware Zeroday since 2021.

Admin

June 19, 2024

Mandiant researchers have shed light on the extensive cyberattacks conducted by a suspected Chinese state-sponsored hacking group known as UNC3886.

According to a comprehensive report published by Google's Mandiant threat intelligence team, the malicious cyber espionage operations by UNC3886 have targeted major organizations worldwide across strategic sectors.

The revelations from Mandiant's in-depth analysis expose the group's meticulous tactics, which involve exploiting zero-day vulnerabilities and deploying an array of sophisticated malware to establish persistent access within compromised systems.

The report provides a detailed account of UNC3886's activities, shedding light on their modus operandi and the specific attack techniques employed.

Mandiant's investigation traced the group's extensive cyber campaign back to late 2021, during which time they successfully exploited a critical vulnerability (CVE-2023-34048) in VMware vCenter servers to gain unauthorized remote access.

"CVE-2023-34048 was not the only zero-day vulnerability exploited by UNC3886 during these intrusions." Mandiant wrote, "The threat actor exploited three other zero-day vulnerabilities, which have since been patched, to gain access when obtaining and abusing credentials of existing accounts was infeasible."

The three other previously undisclosed vulnerabilities that were exploited are-

CVE-2022-41328 in FortiOS was exploited to download and execute backdoors on FortiGate devices.
CVE-2022-22948 in VMware vCenter was exploited to obtain encrypted credentials in the vCenter's postgresDB for further access.
CVE-2023-20867 in VMware Tools was exploited to execute unauthenticated Guest Operations from ESXi host to guest virtual machines.

UNC3886 attack path diagram | Credit- Mandiant

According to the report, UNC3886 demonstrated a high level of operational security and employed advanced evasion techniques, including the deployment of publicly available rootkits like REPTILE and MEDUSA. These rootkits provided the attackers with persistent backdoor access and the ability to conceal their malicious activities from detection.

Mandiant's analysis further revealed that UNC3886 leveraged trusted third-party services, such as GitHub and Google Drive, as command-and-control channels for their malware.

This innovative tactic allowed the threat actors to blend in with legitimate network traffic, making their operations more challenging to detect.

In a particularly concerning development, the report uncovered UNC3886's attempts to subvert access and extract credentials from TACACS+ authentication servers used by network appliances for centralized access control.

TACACS is a network protocol used in computer networking for providing centralized authentication, authorization, and accounting (AAA) services. TACACS+ represents an enhanced and more robust version of the original TACACS protocol. Network appliances employ TACACS+ for security and access control, ensuring that authenticated users are authorized to execute actions that are monitored for auditing purposes.

"An unauthorized access to a system functioning as an authentication server like a TACACS+ server is an absolute security nightmare. The threat actor could access or manipulate user credentials and authorization policies stored within its database."

Successful compromise of such critical infrastructure could grant the attackers unfettered access to strategic networks and systems.

Mandiant's findings highlight the global nature of UNC3886's operations, with confirmed victims spanning North America, Southeast Asia, Oceania, Europe, Africa, and other parts of Asia. The targeted sectors align with typical espionage objectives, including governments, telecommunications, technology, aerospace, defense, and energy utilities.

In response to the identified threats, Mandiant has released detection and hardening guidelines, as well as indicators of compromise (IoCs), to assist organizations in identifying and mitigating potential UNC3886 activities.

Additionally, Mandiant has collaborated with Google to provide rules and threat intelligence to SecOps Enterprise+ customers.

At the time, Mandiant had no evidence to discover how the attackers were deploying the backdoors to vCenter systems. Mandiant observed crashes across multiple UNC3886 cases between late 2021 and early 2022.

The researchers also noticed that most environments where these crashes were observed had log entries preserved, however, the ‘vmdird’ core dumps were removed.

Mandiant's report describes it as a valuable resource for understanding the evolving cyber threat landscape and the sophisticated tactics employed by state-sponsored actors.