Fire Ant Hackers Target VMware ESXi and vCenter Flaws to Infiltrate Organizations

Cybersecurity firm Sygnia has been tracking and mitigating a sophisticated espionage operation dubbed Fire Ant, which zeroes in on virtualization and networking infrastructure, particularly VMware ESXi hypervisors and vCenter management servers, alongside network appliances.

The threat actors behind Fire Ant employ multilayered kill chains, blending advanced persistence mechanisms with stealthy techniques to breach segmented networks and maintain access amid active eradication efforts.

Prolonged Espionage Campaign

By exploiting vulnerabilities like CVE-2023-34048 for unauthenticated remote code execution on vCenter, attackers gain initial footholds, extract vpxuser credentials for lateral movement to ESXi hosts, and deploy persistent backdoors such as the VIRTUALPITA malware variant, disguised as ‘ksmd’ binaries listening on TCP port 7475.

These tools enable remote command execution and file operations, persisting through reboots via unsigned VIBs installed with forced acceptance levels and modifications to /etc/rc.local.d/local.sh scripts that launch HTTP-based Python backdoors on port 8888.

Fire Ant’s operators further tamper with ESXi logging by terminating the vmsyslogd process, severing audit trails and complicating forensic analysis.

From hypervisor control, they pivot to guest VMs using CVE-2023-20867 in VMware Tools, injecting commands via PowerCLI’s Invoke-VMScript cmdlet, which routes through vmtoolsd.exe without authentication, allowing encoded PowerShell execution and output redirection to temporary files under C:WindowsTEMP.

Credential harvesting involves creating memory snapshots with vim-cmd vmsvc/snapshot.create, then dumping NTLM hashes and LSA secrets using a Volatility-based tool named UpdateApp, followed by snapshot removal to erase traces.

Additional tactics include deploying updatelog.exe to tamper with EDR agents like SentinelOne, installing V2Ray for encrypted tunneling on port 58899, and launching rogue VMs via /bin/vmx -x, bypassing vCenter registration with spoofed MAC addresses outside standard ranges.

Network Manipulation

Fire Ant extends its reach by compromising network devices, such as F5 load balancers via CVE-2022-1388, deploying webshells to /usr/local/www/xui/common/css/ for bridging segmented networks, and leveraging Neo-reGeorg on Java-based web servers for application-layer tunnels.

On Linux pivots, a Medusa rootkit variant provides interactive shells and SSH credential logging to remote.txt files.

Attackers bypass ACLs using netsh portproxy on trusted endpoints, expose assets via public interfaces, and exploit IPv6 to evade IPv4 filters in dual-stack setups.

Demonstrating remarkable operational resilience, Fire Ant adapts in real-time to containment, rotating toolsets, renaming binaries to mimic forensic tools, and re-entering via redundant paths post-cleanup.

Technical overlaps, including specific binaries and exploitation patterns, align closely with UNC3886, a cluster previously linked to Chinese-language indicators like keyboard layout errors and active hours.

According to the report, While Sygnia avoids definitive attribution, Fire Ant’s tactics mirror UNC3886’s infrastructure-centric campaigns, underscoring vulnerabilities in hypervisor layers where endpoint security falters.

To counter such threats, organizations must enhance ESXi visibility through syslog forwarding to centralized servers and monitor for vmsyslogd terminations, unauthorized vim-cmd/esxcli executions, anomalous ELF binaries, rogue vmx -x launches, and vmtoolsd.exe-spawned processes.

Hardening involves patching promptly, enforcing unique rotated passwords via PIM solutions, enabling Lockdown Mode and Secure Boot to block unsigned VIBs, and restricting access to jump servers.

These measures address blind spots in trusted infrastructure, preventing segmentation bypasses and ensuring coordinated eradications to thwart resilient actors like Fire Ant.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!