The attack patterns applied by the Chinese spy actors in the disclosed hypervisor virtualization environments of the “privileged guest” operations, the CVSS vulnerabilities they used were revealed. In this article, the situations caused by the detected attack patterns, the damages that these situations can cause, the precautions that can be taken, and the protection methods against potential attacks are explained.

First of all, the “UNC3886” Chinese spy group, which carried out the attack, is a group that has adopted the principle of carrying out its attacks on platforms where EDR cannot be integrated and supported in order to avoid EDR (Endpoint Detection and Response) solutions that have recently strengthened detection methods on endpoint devices. For this reason, they use attack types focused on ESXI, Vsphere and guest hosts on it.

Despite the publication of static IOCs, the group carrying out the attack aims to reduce the risk of being noticed by changing static structures such as hash and file name. For this reason, instead of IOC (Indicator comprimise), the document created contains IOA (Indicator of Attack) patterns.

Impacts

Gathering credentials from the vPostgreSQL database running behind the Vcenter Server Appliance
Executing authorized commands on Windows, Linux and PhotonOS guest VMs using the CVE-2023-20867 vulnerability
Dropping backdoors to ESXi hosts via socket
Increasing horizontal spread and dwell time using VMCI
Attack Steps (In order)

Attacker gains authorized access on Vcenter
Snatching “vpxuser” credentials positioned on Vcenter
Accessing ESXI hosts with stolen user credentials
Performing malicious VIB (vSphere Installation Bundle) deployment on ESXI host
Placing backdoors using VIRTUALPITA and VIRTUALPIE
Executing unauthenticated commands on guest VMs using the CVE-2023-20867 vulnerability on exposed ESXI hosts
Executing unauthenticated commands on the desired ESXI host with vpxuser
command execution patterns on the guets VMs deployed on it;

The scripts in use are used to discover and list the deployed ESXI servers and the Guest Virtual Machines connected to these servers;

Obtaining the “vpxuser” user information deployed on ESXI hosts in clear text,
Discovering all ESXI hosts connected to Vcenter and guest VMs connected to the hosts
Performing addition or removal operations in the lists of IP addresses allowed for a specific service (Default sshServer) on all connected ESXi
The “vpxuser” credentials are of critical importance in the attack. Vpxuser is an authorized service account that is automatically created when the ESXi host connects to the Vcenter server and whose password changes every 30 days. When the Vcenter server wants to perform authorized operations, it uses the relevant service account mentioned;

Changing the ESXi host of the VM
Changing VM configurations, etc.
Although Vpxuser is normally kept encrypted, it is possible to obtain these credentials using the CVE-2022-22948 vulnerability.

APIs called for commands run on VMs deployed on exposed ESXi hosts;

Managed Object Methods Description
GuestAliasManager AddGuestAlias ​​define alias for guest account
ListGuestAliases list guest aliases for specified user
ListGuestMappedAliases list alias map for in-guest user
RemoveGuestAliasByCert remove certificate associated aliases
GuestAuthManager AcquireCredentialsInGuest authenticate, return session object
ReleaseCredentialsInGuest release session object
ValidateCredentialsInGuest check authentication data or timeout
GuestFileManager ChangeFileAttributesInGuest change attributes of file in guest
CreateTemporaryDirectoryInGuest make a temporary directory
CreateTemporaryFileInGuest create a temporary file
DeleteDirectoryInGuest remote directory in guest OS
DeleteFileInGuest remove file in guest OS
InitiateFileTransferFromGuest start file transfer from guest O.S.
InitiateFileTransferToGuest start file transfer to guest OS
ListFilesInGuest list files or directories in guest
MakeDirectoryInGuest make a directory in guest
MoveDirectoryInGuest move or rename a directory in guest
MoveFileInGuest rename a file in guest
GuestWindowsRegistryManager CreateRegistry KeyInGuest create a registry key
DeleteRegistryKeyInGuest delete a registry key
DeleteRegistryValueInGuest delete a registry value
ListReeistryKeysInGuest list registry subkeys for a given key
ListRegistryValuesInGuest list registry values ​​for a given key
SetRegistryValueInGuest set or create a registry value
GuestProcessManager ListProcessesInGuest list processes running in guest OS
ReadEnvironmentVariableInGuest read environment variable in guest
StartProgramInGuest start running program in guest
TerminateProcessInGuest stop a running process in guest

Precautions

For the vulnerability that allows remote command execution on VMs, CVE-2023-20867 VMware recommends that all customers update their VMware tools and perform the necessary hardening in virtualization environments around the hardening documentation they published;
https://core.vmware.com/vmware-vsphere-8-security-configuration-guide#use-your-head
The CVE-2022-22948 vulnerability, which allows encrypted “vpxuser” credentials to be obtained in clear text, is effective in Vmware vCenter Server 6.5/6.7/.70 versions;
Affected Version Fixed Version
6.5 6.5 U3r
6.7 6.7 U3p
7.0 7.0 U3d
If Vcenter is available in the specified versions in the virtualization environment, it is recommended to patch the version and close the relevant vulnerability.