Threat Intelligence, Vulnerability Management, Patch/Configuration Management

Fire Ant breaches VMware infrastructure in advanced espionage campaign

VMware company brand logo on official website

(Adobe Stock)

Sygnia, a cybersecurity firm, reported that a threat actor known as Fire Ant is targeting virtualization and networking infrastructure, The Hacker News reports.

According to the cybersecurity firms report, the activity observed this year is primarily intended to breach organizations' VMware ESXi and vCenter systems, along with network appliances. "The threat actor leveraged combinations of sophisticated and stealthy techniques creating multilayered attack kill chains to facilitate access to restricted and segmented network assets within presumed to be isolated environments," Sygnia said. The threat actor appears to use similar tools and target the same systems as UNC3886, a China-linked cyber espionage group known for attacking edge devices and virtualization technologies since at least 2022. Fire Ant gains access to the virtualization management layer by exploiting CVE-2023-34048, a known vulnerability in VMware vCenter Server that UNC3886 reportedly used as a zero-day for years before Broadcom patched it in October 2023. "From vCenter, they extracted the 'vpxuser' service account credentials and used them to access connected ESXi hosts," Sygnia noted. "They deployed multiple persistent backdoors on both ESXi hosts and the vCenter to maintain access across reboots. The backdoor filename, hash, and deployment technique aligned the VIRTUALPITA malware family," the cybersecurity firm added.

Related

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

BackdoorBlack HatBrute ForceBugBusiness Email Compromise (BEC)Covert ChannelsDNS SpoofingDeepfakeDefacementDisruption

You can skip this ad in 5 seconds