Chinese Hackers Exploit VMware ESXi Zero-Day for Espionage Operations.
Chinese state-sponsored group UNC3886 has been exploiting a zero-day flaw in VMware ESXi hosts to backdoor Windows and Linux systems. The group has been described as a "highly adept" adversarial collective targeting defense, technology, and telecommunication organizations in the U.S., Japan, and the Asia-Pacific region. UNC3886 has been using Virtual Machine Communication Interface (VMCI) sockets for lateral movement and continued persistence, thereby allowing it to establish a covert channel between the ESXi host and its guest VMs. The group has also been observed harvesting credentials from vCenter servers and abusing CVE-2023-20867 to execute commands and transfer files to and from guest VMs from a compromised ESXi host.