A Chinese cyberespionage group has been targeting VMware and F5 product vulnerabilities in a sophisticated and stealthy campaign, cybersecurity firm Sygnia reports.
Tracked as Fire Ant, the hacking group was seen compromising virtualization and networking appliances to gain access to restricted and segmented environments.
Focusing on infrastructure, Fire Ant is using the compromised appliances for initial access, lateral movement, and persistence, and has been observed leveraging virtualization hosts to access guest environments using unauthenticated host-to-guest commands and compromised credentials.
“Sygnia observed high levels of operational resilience. Fire Ant actively adapted to eradication and containment efforts, replacing toolsets, deploying redundant persistence backdoors, and manipulating network configurations to re-establish access,” Sygnia notes.
As part of an analyzed intrusion, the cyberespionage group exploited CVE-2023-34048, a critical vCenter Server vulnerability leading to unauthenticated remote code execution, to take over the virtualization management layer.
Using ‘vpxuser’ service account credentials extracted from vCenter, the hackers then pivoted to connected ESXi hosts, deploying persistent backdoors across the environment. Next, they interacted with guest VMs, exploiting CVE-2023-20867, an ESXi flaw enabling unauthenticated host-to-guest operations.
These activities, Sygnia says, led to full-stack compromise, providing the attackers with persistent, covert access to the guest operating systems, directly from the hypervisor.
The hackers were also seen tunneling through trusted systems to systematically bypass segmentation, gain access to isolated networks, and establish cross-segments persistence.
They exploited CVE-2022-1388 to compromise F5 load balancers in order to deploy webshells that enabled bridging between different networks.
“The threat actor demonstrated a deep understanding of the target environment’s network architecture and policies, effectively navigating segmentation controls to reach internal, presumably isolated assets,” Sygnia notes.
The cybersecurity firm has published technical details on the observed activities and tooling, noting that it has identified strong overlaps with TTPs previously attributed to Chinese cyberespionage group UNC3886.
Not only have Fire Ant and UNC3886 exploited the same vulnerabilities against virtualization and networking infrastructure, but they also used the same malware in their attacks, including the VirtualPita backdoor. Fire Ant’s working hours and input errors point to China and Chinese-language keyboard layouts.
“While Sygnia refrains from conclusive attribution, multiple aspects of Fire Ant’s campaign and most notably its unique tool set and attack vector targeting the VMware virtualization infrastructure strongly align with previous research on the threat group UNC3886,” the cybersecurity firm notes.
Related: Chinese Spies Exploited VMware vCenter Server Vulnerability Since 2021
Related: Chinese Cyberspies Use New Malware in Ivanti VPN Attacks
Related: Mandiant Uncovers Custom Backdoors on End-of-Life Juniper Routers
Related: China Says Washington Hack Claims ‘Fabricated’, Condemns US Allies
