Fire Ant Hacking Group Targets VMware ESXi and vCenter in Espionage Campaign

A threat actor, known as Fire Ant, has been actively targeting virtualization and networking infrastructure in a long-running cyber espionage campaign. What's their goal? To infiltrate organizations running VMware ESXi and vCenter environments, as well as other key network devices.

According to a new report by Sygnia, the activity has been observed throughout this year. The attackers are primarily focused on compromising VMware ESXi, vCenter environments, and network appliances.

"The threat actor used a blend of advanced and sneaky tactics, creating complex attack paths to gain access to restricted parts of the network," Sygnia stated in their report. They highlighted the attacker's ability to bypass security measures and maintain a strong foothold within compromised systems.

The report further emphasizes the attacker's persistence and adaptability, enabling them to adjust their tactics in real-time to maintain access to compromised infrastructure, even when faced with attempts to remove them.

Interestingly, Fire Ant appears to have some connections to UNC3886, a Chinese cyber espionage group. UNC3886 has a history of targeting edge devices and virtualization technologies, going back to at least 2022.

These attacks are designed to take control of VMware ESXi hosts and vCenter servers. The attackers have demonstrated the ability to move into guest environments and bypass network segmentation by compromising network appliances. It's a pretty sophisticated operation.

Another key aspect is Fire Ant's resilience. They can adapt to attempts to contain them, switch tools, and drop backup backdoors to maintain their access. They'll even reconfigure networks to re-establish connections.

How They're Getting In

Fire Ant often breaches the virtualization management layer by exploiting CVE-2023-34048, a security vulnerability in VMware vCenter Server. UNC3886 had been exploiting this flaw as a zero-day for years before Broadcom issued a patch in October 2023.

Sygnia explained that the attackers extract 'vpxuser' service account credentials from vCenter and use them to access connected ESXi hosts. Then, they deploy multiple backdoors on both ESXi hosts and vCenter to ensure persistent access even after reboots. One such backdoor is linked to the VIRTUALPITA malware family.

They also use a Python-based implant called "autobackup.bin" for remote command execution and file transfer, which runs quietly in the background.

Once inside the hypervisor, the attackers leverage another vulnerability, CVE-2023-20867 in VMware Tools, to interact with guest virtual machines through PowerCLI. They've also been known to tamper with security tools and steal credentials from memory snapshots, including those of domain controllers.

Key Tactics Used by Fire Ant:

• Using the V2Ray framework for guest network tunneling.
• Deploying unregistered virtual machines directly on multiple ESXi hosts.
• Breaking down network segmentation and establishing persistence across different segments.
• Resisting incident response efforts by re-compromising assets and blending in by disguising their tools as forensic tools.

This all creates a pathway for Fire Ant to maintain hidden access from the hypervisor to guest operating systems. Sygnia also noted that the attackers show a "deep understanding" of their target's network architecture.

Staying Under the Radar

Fire Ant goes to great lengths to remain undetected, leaving as little trace as possible. For example, they'll tamper with logging on ESXi hosts by stopping the "vmsyslogd" process, effectively hiding their tracks and limiting forensic visibility.

These findings highlight a troubling trend of persistent attacks targeting network edge devices by various threat actors, especially those linked to China.

"This campaign highlights the need for better visibility and detection within the hypervisor and infrastructure layer, where traditional endpoint security tools often fall short," Sygnia concluded.

They further added that Fire Ant focuses on infrastructure systems like ESXi hosts, vCenter servers, and F5 load balancers, which often lack proper detection and response mechanisms, making them ideal targets for long-term, stealthy operations.