Virtualization and networking infrastructure are targeted by threat actors called fire ants as part of a long-term cyberspy campaign.
The activity observed this year is currently being designed primarily to infiltrate organizations’ VMware ESXi and vCenter environments, as well as network appliances, Sygnia said in a new report published today.
“Threat actors utilized sophisticated stealth techniques in sophisticated stealth techniques to facilitate access to limited and segmented network assets, presumably isolated environments,” the cybersecurity company said.
“The attackers have operated through eradication efforts and adapted in real time to eradication and containment measures to maintain access to compromised infrastructure, demonstrating high levels of sustainability and operational maneuverability.”
Fire Ant will be evaluated to share target overlaps with previous campaigns organized by UNC3886, a Chinese-Nexus cyberspy group known for its persistent targeting of edge devices and virtualization technologies since at least 20222.
Attacks installed by threat actors have been known to establish entrenched control of VMware ESXI hosts and vCenter servers, demonstrating advanced capabilities to pivot into the guest environment and bypass network segmentation by breaching the network appliance.
Another notable aspect is the ability for threat actors to remain operational resilient by adapting to containment efforts, switching to various tools, dropping fallback doors for sustainability, and changing network configurations to reestablish access to compromised networks.
Violation of Fire Ant’s virtualization management layer is achieved through the exploitation of CVE-2023-34048, a known security flaw in VMware vCenter servers that had been exploited as zero-day by UNC3886 before Broadcom was patched in October 2023.
“From vCenter, they extracted the credentials for the ‘VPXUSER’ service account and used them to access connected ESXI hosts,” Sygnia said. “They deployed multiple persistent backgrounds on both the ESXI host and vCenter to maintain access throughout the reboot. Backdoor filenames, hashing and deployment techniques aligned the VirtualPita malware family.”
It also removes the Python-based implant (“autobackup.bin”) which provides remote command execution, and the ability to download and upload files. It runs in the background as a demon.
Obtaining unauthorized access to the hypervisor, the attacker is said to have exploited another flaw in the VMware tool (CVE-2023-20867) to interact directly with the guest tool via the power-cheap, blocking the functionality of the security tool and the qualifications extracted from memory snapshots like domain controllers.
Some of the other important aspects of the threat actor’s product are:
Drop the V2RAY framework to facilitate guest network tunneling, deploy non-registered virtual machines directly to multiple ESXI hosts, split network segmentation barriers, and establish cross-segment establishment.
The attack chain ultimately opened up a fire ants path to maintain sustained, secret access from the hypervisor to the guest operating system. Sygnia also states that it has a “deep understanding” of the network architecture and policies of the target environment, to reach isolated assets.
Fire Ant is an abnormal focus on staying undetected, minimizing the footprint of intrusions. This is evidenced by the steps taken by attackers to tamper with logs on ESXI hosts by terminating the “VMSYSLOGD” process, effectively suppressing audit trails, and limiting forensic visibility.
The findings highlight a worrying trend in recent years, including sustained and successful targeting of network edge devices by threat actors, particularly threat actors from China.
“This campaign highlights the importance of visibility and detection within hypervisors and infrastructure layers where traditional endpoint security tools are ineffective,” Sygnia said.
“Fire Ants, such as ESXI hosts, vCenter servers, and F5 load balancers, are consistently targeted infrastructure systems. Target systems are rarely integrated into standard detection and response programs. These assets lack detection and response solutions, generating a long-term overview ideal for stealth operations.”
Source link
