{"id":4132,"date":"2025-07-28T11:59:00","date_gmt":"2025-07-28T11:59:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=4132"},"modified":"2025-07-28T11:59:00","modified_gmt":"2025-07-28T11:59:00","slug":"chinese-fire-ant-spies-start-to-bite-unpatched-vmware-instances","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=4132","title":{"rendered":"Chinese \u2018Fire Ant\u2019 spies start to bite unpatched VMware instances"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Suspected China-aligned actors are running a new \u201cFire Ant\u201d espionage campaign, active since early 2025, that targets VMWare ESXi, vCenter servers, and F5 appliances to achieve stealthy hypervisor-level control.<\/p>\n

According to a Sygnia discovery, the campaign has been exploiting critical flaws in VMware environments to gain unauthenticated access to virtualization infrastructure and deploy persistent malware like VirtualPita and autobackup.bin.<\/p>\n

[ Related:\u00a0<\/strong>More VMware by Broadcom news and insights<\/strong><\/a>\u00a0]<\/strong><\/h5>\n

According to Ev Kontsevoy, CEO of Teleport, it is a classic nation-state attack vector. \u201cFire Ant has been exploiting infrastructure vulnerabilities and using stolen credentials to infiltrate systems,\u201d he said. \u201cThis is not an isolated tactic. Many nation-state groups are now adopting the same approach due to its effectiveness and difficulty of detection.\u201d<\/p>\n

While Sygnia refrained from attributing Fire Ant to a specific actor, it noted that the campaign\u2019s tools, VMware-focused attack vectors, working hours, and keyboard patterns closely matched previous findings on the China-nexus group UNC3886<\/a>.<\/p>\n

<\/a>Initial access through VMWare flaws<\/h2>\n

The attackers exploited CVE-2023-34048<\/a> in VMware vCenter to achieve unauthenticated remote code execution (RCE), then retrieved credentials for the \u201cvpxuser\u201d service accounts, which vCenter automatically creates to manage ESXi hosts with full administrative privileges. Because vpxuser is exempt from lockdown mode restrictions, the attackers could retain host-level control over all connected ESXi servers, the physical machines running the ESXi hypervisor, even if direct logins were disabled.<\/p>\n

With full administrative privileges now, attackers planted persistent backdoors like VirtualPita<\/a> and autobackup.bin, and disabled the system logging daemon (vmsyslogd) to cover their tracks across reboots.<\/p>\n

Kontsevoy calls this an identity management failure. \u201cThe attackers used stolen credentials to create backdoors and mimic legitimate employee actions through common, trusted tools,\u201d he said. \u201cThis is because once an identity crosses a technology boundary, its trail is lost. No one can see where it goes next. This visibility gap allows backdoors to go unnoticed and enables attackers to re-enter the infrastructure undetected.\u201d<\/p>\n

Attackers further exploited CVE-2023-20867<\/a> to run unauthenticated host-to-guest commands via VMware Tools\/PowerCLI, accessing guest VMs and extracting in-memory domain credentials.<\/p>\n

Tunnelling allowed lateral movement<\/strong><\/h2>\n

Once inside, Fire Ant bypassed network segmentation by exploiting CVE-2022-1388<\/a> in F5 BIG-IP devices. This allowed them to deploy encrypted tunnels such as Neo-reGeorg<\/a> web shells to reach isolated environments, even leveraging IPv6 to evade IPv4 filters.<\/p>\n

\u201cThe threat actor demonstrated a deep understanding of the target environment\u2019s network architecture and policies, effectively navigating segmentation controls to reach internal, presumably isolated assets,\u201d Sygnia said in a blog post<\/a>. \u201cBy compromising network infrastructure and tunneling through trusted systems, the threat actor systematically bypassed segmentation boundaries, reached isolated networks, and established cross-segment persistence.\u201d<\/p>\n

The attackers constantly adapted their techniques, such as altering tools, disguising files, and deploying redundant persistence backdoors, to evade detection and regain access after cleanup.<\/p>\n

Sygnia has advised organizations to patch vulnerable VMware components, rotate secure service account credentials, and enforce ESXi lockdown mode to restrict host access. It also recommends using dedicated admin jump hosts, segmenting management networks, and expanding monitoring to include vCenter, ESXi, and appliances that often lack traditional endpoint visibility.<\/p>\n

\u201cThe only way to prevent nation-state hackers and other criminals from accessing infrastructure easily is by unifying identity,\u201d Kontsevoy added. \u201cBy unifying all identities \u2014 whether human, software, hardware, or AI \u2014 companies can gain a single source of truth and complete visibility into how identities enter and move through their systems.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Suspected China-aligned actors are running a new \u201cFire Ant\u201d espionage campaign, active since early 2025, that targets VMWare ESXi, vCenter servers, and F5 appliances to achieve stealthy hypervisor-level control. According to a Sygnia discovery, the campaign has been exploiting critical flaws in VMware environments to gain unauthenticated access to virtualization infrastructure and deploy persistent malware […]<\/p>\n","protected":false},"author":0,"featured_media":4131,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-4132","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4132"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4132"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4132\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/4131"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4132"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4132"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4132"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}