A suspected Chinese threat actor tracked as UNC3886 uses publicly available open-source rootkits named ‘Reptile’ and ‘Medusa’ to remain hidden on VMware ESXi virtual machines, allowing them to conduct credential theft, command execution, and lateral movement.
Mandiant has been tracking the threat actor for a long time, previously reporting attacks on government organizations leveraging a Fortinet zero-day and two VMware zero-day vulnerabilities exploited for extended periods.
Exploits used are Mopsled, Riflespine, REPTILE and MEDUSA.
source:
[ad_2]
source
