Virtualization and networking infrastructure have been targeted by a threat actor codenamed Fire Ant as part of a prolonged cyber espionage campaign.
The activity, observed this year, is primarily designed Now to infiltrate organizations' VMware ESXi and vCenter environments as well as network appliances, Sygnia said in a new report published today.
"The threat actor leveraged combinations of sophisticated and stealthy techniques creating multilayered attack kill chains to facilitate access to restricted and segmented network assets within presumed to be isolated environments," the cybersecurity company said.
"The attacker demonstrated a high degree of persistence and operational maneuverability, operating through eradication efforts, adapting in real time to eradication and containment actions to maintain access to the compromise infrastructure."
Fire Ant is assessed to share tooling and targeting overlaps with prior campaigns orchestrated by UNC3886, a China-nexus cyber espionage group known for its persistent targeting of edge devices and virtualization technologies since at least 2022.
Attacks mounted by the threat actor have been found to establish entrenched control of VMware ESXi hosts and vCenter servers, demonstrating advanced capabilities to pivot into guest environments and bypass network segmentation by compromising network appliances.
Another noteworthy aspect is the ability of the threat actor to maintain operational resilience by adapting to containment efforts, switching to different tools, dropping fallback backdoors for persistence, and altering network configurations to re-establish access to compromised networks.
Fire Ant's breach of the virtualization management layer is achieved by the exploitation of CVE-2023-34048, a known security flaw in VMware vCenter Server that has been exploited by UNC3886 as a zero-day for years prior to it being patched by Broadcom in October 2023.
"From vCenter, they extracted the 'vpxuser' service account credentials and used them to access connected ESXi hosts," Sygnia noted. "They deployed multiple persistent backdoors on both ESXi hosts and the vCenter to maintain access across reboots. The backdoor filename, hash, and deployment technique aligned the VIRTUALPITA malware family."
Also dropped is a Python-based implant ("autobackup.bin") that provides remote command execution, and file download and upload capabilities. It runs in the background as a daemon.
Upon gaining unauthorized access to the hypervisor, the attackers are said to have leveraged another flaw in VMware Tools (CVE-2023-20867) to interact directly with guest virtual machines via PowerCLI, as well as interfered with the functioning of security tools and extracted credentials from memory snapshots, including that of domain controllers.
Some of the other crucial aspects of the threat actor's tradecraft are as follows -
- Dropping V2Ray framework to facilitate guest network tunneling
- Deploying unregistered virtual machines directly on multiple ESXi hosts
- Breaking down network segmentation barriers by exploiting CVE-2022-1388 to compromise F5 load balancers and establishing cross-segments persistence by deploying web shells
- Resist incident response and remediation efforts by re-compromising assets and, in some cases, blend in by renaming their payloads to impersonate forensic tools
The attack chain ultimately opened up a pathway for Fire Ant to maintain persistent, covert access from the hypervisor to guest operating systems. Sygnia also described the adversary as possessing a "deep understanding" of the target environment's network architecture and policies in order to reach otherwise isolated assets.
Fire Ant is unusually focused on remaining undetected and leaves a minimal intrusion footprint. This is evidenced in the steps taken by the attackers to tamper with logging on ESXi hosts by terminating the "vmsyslogd" process, effectively suppressing an audit trail and limiting forensic visibility.
The findings underscore a worrying trend involving the persistent and successful targeting of network edge devices by threat actors, particularly those from China, in recent years.
"This campaign underscores the importance of visibility and detection within the hypervisor and infrastructure layer, where traditional endpoint security tools are ineffective," Sygnia said.
"Fire Ant consistently targeted infrastructure systems such as ESXi hosts, vCenter servers, and F5 load balancers. The targeted systems are rarely integrated into standard detection and response programs. These assets lack detection and response solutions and generate limited telemetry, making them ideal long-term footholds for stealthy operation."
The development comes a week after Singapore pointed fingers at UNC3886 for carrying out cyber attacks targeting local critical infrastructure that delivers essential services. The government offered no further details.
"UNC3886 poses a serious threat to us, and has the potential to undermine our national security," Coordinating Minister for National Security, K. Shanmugam, said in a speech. "It is going after high value strategic threat targets, vital infrastructure that delivers essential services."
In a Facebook post, the Chinese embassy in Singapore said such claims were "groundless smears and accusations," and that the information systems of 9th Asian Winter Games were subjected to over 270,000 cyber attacks from abroad earlier this February.
"In addition to the recent context of the attribution disclosed by Singapore's minister of national security, we can highlight that the group's activity poses risks to critical infrastructure that extend beyond the regional borders of Singapore and the APJ region," Yoav Mazor, Head of Incident Response at Sygnia, told The Hacker News.
(The story was updated after publication to include a response from Sygnia.)
