Article Details

Russians invade Microsoft's exec mail while China jabs at VMware vCenter Server. Plus: Uncle Sam says Ivanti exploits 'consistent with PRC' snoops. A VMware security vulnerability has been exploited by Chinese cyberspies since late 2021, according to Mandiant, in what has been a busy week for nation-state espionage news. On Friday VMware confirmed CVE-2023-34048, a critical out-of-bounds write flaw in vCenter Server, was under active exploitation. The bug, which received a 9.8-out-of-10 CVSS severity rating, was disclosed and patched in October. It can be abused to hijack a vulnerable server, if it can be reached over the internet or a network by miscreants. "A malicious actor with network access to vCenter Server may trigger an out-of-bounds write potentially leading to remote code execution," the virtualization giant noted last year. VMware did not respond to The Register's inquires about the scale of the years-long exploitation nor who was behind the attacks. But in a separate report shared later on Friday, Google-owned Mandiant pointed the finger at UNC3886, a crew described as "a highly advanced China-nexus espionage group." This same team has targeted VMware products in the past to snoop on targets. Don't forget the Russians Microsoft on Friday admitted a Moscow-backed crew broke into "a very small percentage of Microsoft corporate email accounts" and stole internal messages and files. These inboxes included those belonging to the leadership team, cybersecurity and legal employees, and others. The criminals exfiltrated not only emails but their attached documents, too. Redmond blamed Midnight Blizzard, aka APT29 or Cozy Bear, for the intrusions, and said the "attack was not the result of a vulnerability in Microsoft products or services."  "Beginning in late November 2023, the threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account's permissions to access a very small percentage of Microsoft corporate email accounts," Redmond says. The Russian gang was apparently snooping through email accounts looking for information about themselves, we're told. Microsoft notes, "there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems." The Windows giant also issued an advisory to Wall Street, saying it had been hit by "a nation-state attack" on January 12, and warned that in tightening up its security in response to this intrusion, there may be some downtime ahead: We will act immediately to apply our current security standards to Microsoft-owned legacy systems and internal business processes, even when these changes might cause disruption to existing business processes. This will likely cause some level of disruption while we adapt to this new reality, but this is a necessary step, and only the first of several we will be taking to embrace this philosophy. In June 2023, VMware fixed an authentication bypass vulnerability in VMware Tools that affected ESXi hypervisors — but not before UNC3886 had found and exploited the hole. This PRC-linked gang also targeted VMware hypervisors to carry out espionage in 2022. Additionally, according to Mandiant, UNC3886 last year abused a critical Fortinet bug to deploy custom malware to steal credentials and maintain network access via compromised devices. Mandiant is attributing intrusions via the vCenter Server hole to Beijing's spies after spotting similarities between those attacks and the ones against VMware Tools in June 2023. In reviewing VMware crash logs, the network defenders noticed the vmdird service dying shortly before intruders deployed backdoors on a victim's systems. The code would fail in the same way, whether it was vSphere or VMware Tools being exploited, leading Mandiant to believe it's the same group behind the attacks, based on the modus operandi. "While publicly reported and patched in October 2023, Mandiant has observed these crashes across multiple UNC3886 cases between late 2021 and early 2022, leaving a window of roughly a year and a half that this attacker had access to this vulnerability," Mandiant noted on Friday. The threat hunters said fewer than 10 known organizations were compromised via the vSphere hole, though declined to say which industries the snoops were targeting in these attacks. Speaking of China... Also on Friday the US government's CISA issued an emergency directive requiring federal agencies to apply mitigations to Ivanti Connect Secure devices "as soon as possible and no later than 2359 EST on Monday, January 22." Ivanti disclosed, and issued mitigations for two zero-days, on January 10, and since then security researchers have warned that at least 1,700 devices have been compromised via the bugs, likely by Chinese nation-state attackers. In a call with reporters on Friday, CISA Executive Assistant Director Eric Goldstein said about 15 federal agencies had the flawed Ivanti VPN servers in use, though noted they have already apparently applied the mitigations.  "We are not assessing a significant threat to the federal enterprise, but we know that risk is not zero," he said.  While the US government has not attributed the exploits to a PRC-linked crew, Goldstein said the Feds have a "persistent concern" about China-backed criminals targeting government networks and these types of devices. "At this time, we do not have any evidence to suggest that PRC actors have used these vulnerabilities to exploit federal agencies," Goldstein said.  Later, he added: "Exploitation of these products would be consistent with what we have seen from PRC actors like Volt Typhoon in the past."