The campaign
Virtualization and networking infrastructure have faced targeting by a threat actor codenamed Fire Ant as part of a prolonged cyber espionage campaign.
Sygnia said in a new report published today that the activity observed this year primarily targets organizations’ VMware ESXi and vCenter environments as well as network appliances.
“The threat actor leveraged combinations of sophisticated and stealthy techniques, creating multilayered attack kill chains to facilitate access to restricted and segmented network assets within presumed isolated environments,” the cybersecurity company stated.
“The attacker demonstrated a high degree of persistence and operational maneuverability, operating through eradication efforts and adapting in real time to containment actions to maintain access to the compromised infrastructure.”
Analysts assess that Fire Ant shares tooling and targeting overlaps with prior campaigns orchestrated by UNC3886, a China-nexus cyber espionage group known for its persistent targeting of edge devices and virtualization technologies since at least 2022.
Attacks mounted by the threat actor have established entrenched control of VMware ESXi hosts and vCenter servers, demonstrating advanced capabilities to pivot into guest environments and bypass network segmentation by compromising network appliances.
Another noteworthy aspect is the ability of the threat actor to maintain operational resilience by adapting to containment efforts, switching to different tools, dropping fallback backdoors for persistence, and altering network configurations to re-establish access to compromised networks.
Fire Ant
Fire Ant’s breach of the Virtualization management layer occurs through the Exploitation of CVE-2023-34048, a known security flaw in VMware vCenter Server that UNC3886 Exploited as a Zero-day for years prior to Broadcom Patching it in October 2023.
“From vCenter, they extracted the ‘vpxuser’ service account credentials and used them to access connected ESXi hosts,” Sygnia noted. “They deployed multiple persistent backdoors on both ESXi hosts and the vCenter to maintain access across reboots. The backdoor filename, hash, and deployment technique aligned with the VIRTUALPITA malware family.”
Additionally, they dropped a Python-based implant (“autobackup.bin”) that provides remote command execution, along with file download and upload capabilities. It runs in the background as a daemon.
Upon gaining unauthorized access to the hypervisor, the attackers leveraged another flaw in VMware Tools (CVE-2023-20867) to interact directly with guest virtual machines via PowerCLI. They also interfered with the functioning of security tools and Extracted Credentials from memory snapshots, including those of domain controllers.
Some of the other crucial aspects of the threat actor’s Tradecraft are as follows:
- Dropping the V2Ray framework to facilitate guest network Tunneling
- Deploying Unregistered virtual machines directly on multiple ESXi hosts
- Breaking down network Segmentation barriers and Establishing Cross-segment Persistence
- Resisting incident response and Remediation efforts by Re-compromising assets and, in some cases, blending in by renaming their payloads to Impersonate Forensic tools
The attack chain ultimately opened up a pathway for Fire Ant to maintain persistent, covert access from the Hypervisor to guest operating systems. Sygnia also described the adversary as possessing a “deep understanding” of the target Environment’s network architecture and policies to reach otherwise isolated assets.
Fire Ant is unusually focused on remaining Undetected and leaves a minimal Intrusion Footprint. This is Evidenced by the steps taken by the Attackers to tamper with logging on ESXi hosts by Terminating the “vmsyslogd” process, effectively suppressing an audit trail and Limiting Forensic Visibility.
The findings Underscore a worrying trend Involving the Persistent and successful targeting of network edge devices by threat actors, particularly those from China, in recent years.
“This campaign underscores the importance of Visibility and Detection within the hypervisor and infrastructure layer, where traditional endpoint security tools are ineffective,” Sygnia said.
“Fire Ant consistently targeted infrastructure systems such as ESXi hosts, vCenter servers, and F5 load balancers. The targeted systems rarely integrate into standard detection and response programs. These assets lack detection and response solutions and generate limited telemetry, making them ideal long-term footholds for stealthy operation.”
UNC3886
The development comes a week after Singapore pointed fingers at UNC3886 for carrying out cyber attacks targeting local critical infrastructure that delivers essential services. The government offered no further details.
“UNC3886 poses a serious threat to us and has the potential to undermine our national security,” Coordinating Minister for National Security, K. Shanmugam, said in a speech. “It is going after High-value strategic threat targets, vital infrastructure that delivers essential services.”
In a Facebook post, the Chinese embassy stated that such claims were “Groundless smears and accusations,” adding that the information systems of the 9th Asian Winter Games faced over 270,000 cyber attacks from abroad earlier this February.
“In addition to the recent context of the attribution disclosed by Singapore’s minister of national security, we can highlight that the group’s activity poses risks to critical infrastructure that extend beyond the regional borders of Singapore and the APJ region,” Yoav Mazor, Head of Incident Response at Sygnia, told The Hacker News.
Source: TheHackerNews
Read more at Impreza News
