Network Security, Threat Intelligence, Exposure management

China-linked Fire Ant targets VMware ESXi, vCenter servers, F5 appliances

Vmware company logo displayed on mobile phone screen

A prolonged China-linked espionage campaign called Fire Ant was discovered targeting virtualization and networking infrastructure, primarily VMware ESXi and vCenter environments and F5 networking appliances.

In a July 24 blog post, Sygnia researchers said Fire Ant established strong control over victims’ VMware ESXi hosts and vCenter servers, then pivoted into guest environments using unauthenticated host-to-guest command execution and credential access directly from the virtualization host.

The researchers said the threat actor consistently bypassed network segmentation by compromising network appliances and tunneling across segments, carefully navigating through legitimate approved paths.

UNC3886, a China-linked group, specializes in compromising network devices and virtualization technologies, including firewalls and hypervisors. It has a reputation for exploiting zero-day vulnerabilities in its attacks. 

“Applying the latest security updates is vital, yet not enough because the group seems to be exploiting bugs before patches exist and keeps its foothold after updates due to having harvested credentials,” explained Jason Soroko, senior fellow at Sectigo. “So security teams need to redeploy clean hypervisors, verify firmware, rotate service credentials, restrict management interfaces, and enable continuous integrity checks on both virtualization and network appliance layers to be confident the adversary has been removed.”

Damon Small, a board member at Xcape, added that there are updated versions of VMware Tools that patch this issue, but the recent uptick in exploitation suggests that many vulnerable hypervisors remain. 

“Because the attack vector requires root access on the ESXi server itself, organizations may be lulled into a false sense of security as they assume gaining such access is difficult,” said Small. “Coupled with other attacks that successfully harvest credentials, an attack chain resulting in successful exploitation is obviously very possible. Skilled adversaries, unfortunately, are expert at using many vectors to achieve their goals.  It's a ‘death by 1000 cuts’ scenario.”

Nic Adams, co-Founder and CEO at 0rcus, said the reported activities of the Fire Ant cyberespionage group signify a critical evolution in state-sponsored threat actor methodologies.

Adams said the group’s focus on hypervisor and networking infrastructure vulnerabilities such as CVE-2023-34048, CVE-2023-20867, and CVE-2022-1388 demonstrates a strategic shift towards undermining foundational layers of enterprise IT.

“This approach facilitates deep, persistent access to isolated environments, offering substantial tactical and strategic advantages for intelligence collection and potential disruptive operations,” said Adams. “The observed operational resilience underscores a sophisticated adversary capable of sustained, adaptive campaigns.”

Here's a quick rundown from Adams on how Fire Ant executed its attacks:

  • CVE-2023-34048: The initial vector was the exploitation of this an out-of-bounds write vulnerability in the DCERPC protocol implementation of VMware vCenter Server. The critical 9.8 vulnerability allows for unauthenticated remote code execution. Successful exploitation grants the adversary full control over the vCenter management plane, which serves as the centralized control point for the entire VMware virtualization infrastructure. This initial foothold delivered the capability to orchestrate further attacks across connected ESXi hosts and virtual machines.
  • CVE-2023-20867: To interact with and compromise guest virtual machines from the hypervisor, Fire Ant exploited this 3.9 vulnerability, an authentication bypass in VMware Tools' vgauth module. It lets a fully compromised ESXi host execute unauthenticated host-to-guest operations. This direct hypervisor-level interaction with guest VMs bypasses in-guest security controls, allows for covert access, data exfiltration, and potentially the deployment of additional payloads within the guest operating systems without leaving detectable traces on the VM itself.
  • CVE-2022-1388: To bridge isolated network segments, Fire Ant exploited this critical 9.8 iControl REST authentication bypass vulnerability in F5 BIG-IP load balancers. The bug lets an unauthenticated actor with network access to the BIG-IP system execute arbitrary system commands. Fire Ant leveraged this to deploy webshells, effectively creating tunnels and enabling lateral movement between otherwise segmented networks, demonstrating a deep understanding of the target's network topology and policy enforcement points.

An In-Depth Guide to Network Security

Get essential knowledge and practical strategies to fortify your network security.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds