A highly sophisticated and silent cyber espionage campaign has been found to be targeting the key virtualization infrastructure and networking equipment. The attack group known as “Fire Ant”, believed to be related to UNC3886 (the hacker group associated with China) has silently infiltrated systems using VMware ESXi and vCenter Server, two core components in modern virtualization infrastructures.
Vmware Vcentre.png

Fire Ant is the provisional designation for the hacker group allegedly associated with UNC3886. What the two groups have in common is that they both use the same tools and techniques, targeting assets that are outside the safeguards of traditional security software.

The attack is not only intended to steal information but can also cause complete loss of control over the system, especially critical systems that are being “lost” in the current security strategy.

Fire Ant focuses its attack on:

  • VMware ESXi and vCenter Server (virtual machine management system)
  • Network devices such as F5 load balancers
  • Environments that are said to be “isolated”, not connected to public networks
These systems often have little security scrutiny, few monitoring logs, and often no antivirus software.
Holes exploited:
  • CVE-2023-34048: Vulnerabilities in VMware vCenter Server, allowing remote access.
  • CVE – 2023-20867: Vulnerabilities in VMware Tools, which allow direct interference with the running virtual machine.

Notably, UNC3886 had been exploiting CVE -2023-34048 since it was a zero – day vulnerability, before being patched by Broadcom in October 202 3.

Fire Ant uses a kill chain with complex techniques:

  • A persistent backdoor (the “VIRTUALPITA” type) into both ESXi and vCenter, persisting through system restarts.
  • Use a Python implant to execute remote commands and send/receive files.
  • exploit VMware Tools vulnerability to manipulate virtual machines from hypervisor.
  • Blocking and deletion of system logs by turning off the vmsyslogd logging service, making post-attack monitoring and analysis meaningless.
  • Create unregistered fake virtual machine to avoid detection.
  • Create a network tunnel (V2Ray) to bypass network segmentation barriers and maintain access.
Extent of influence and consequences
  • The attacks are taking place globally, not just in the Asia – Pacific region.
  • Targets are organizations operating important infrastructure, which have strategic economic and security value.
  • Singapore has recently formally accused UNC3886 of being involved in attacks on national critical infrastructure, affecting essential services.
  • Potential risk: The hacker may have access to the entire internal network, overcoming any barriers if a single vulnerability is exploited.

Fire Ant’s campaign was a serious wake-up call to the vulnerability of current security thinking itself, as critical infrastructure and network equipment were neglected in incident detection and response strategies. Focusing on the endpoint is no longer sufficient.

Security solutions recommended by experts:

  • Immediately update all security patches for VMware vCenter, ESXi, and Vmware Tools.
  • Monitor and collect the full log for the virtualization system – do not leave the log empty or not recorded.
  • Implement security monitoring in the hypervisor visibility layer, using specialized solutions if necessary.
  • Check and track privileged accounts such as pxuser.
  • Re-evaluate network segmentation, restrict access between sensitive network areas.
  • Increase testing for new virtual machines, prevent unchecked implementations of unknown machines.
Operation Fire Ant showed a new generation of attacks emerged, focusing on less-noticed infrastructure layers, superior technical use, and long-term silent operations. Security today is no longer a matter of “virtual anti-retrovirus” but rather a contest between systems understanding and the ability to detect aberrant behavior.
WhiteHat, The Hacker News