Cert2Connect

Uncovering UNC3886 Espionage Operations

Researchers have detailed the activities of the UNC3886 group which compromised guest virtual machines to access critical systems. The group used rootkits like REPTILE and MEDUSA for persistence deployed malware that used trusted third-party services (e.g. GitHub Google Drive) for command and control (C2) and utilized Secure Shell (SSH) backdoors to collect credentials. They exploited zero-day vulnerabilities to access vCenter servers and ESXi servers gaining control of guest VMs. UNC3886 used malware including MOPSLED and RIFLESPINE and relied on valid credentials for lateral movement. They also deployed backdoors such as VIRTUALSHINE VIRTUALPIE and VIRTUALSPHERE to facilitate communication and command execution between guest and host systems.
Overzicht

WILT U WETEN HOE DIT RISICO
UITGEBANNEN KAN WORDEN?

Wij helpen je graag. Indien gewenst geven we graag een presentatie of demo van onze oplossingsaanpak. Je vindt ons ook regelmatig op beurzen en events. Volg de evenementenpagina op deze site of meld je aan via de contactpagina voor onze nieuwsbrief.

Maak een afspraak