Sygnia reports that the initial Fire Ant attack vector, CVE-2023-34048, exploits an out-of-bounds write vulnerability in the vCenter Server implementation of the DCERPC protocol, allowing unauthenticated remote code execution. Security researchers have identified suspicious crashes of the ‘vmdird‘ process on vCenter servers, indicating exploitation of this critical vulnerability.
After achieving a compromise, threat actors deploy sophisticated tools, including the open-source script vCenter_GenerateLoginCookie.py, to spoof authentication cookies and bypass login mechanisms. Attackers systematically harvest vpxuser credentials, which are system accounts automatically created by vCenter with full administrative privileges on ESXi hosts.
This credential theft enables lateral movement across the entire virtualization infrastructure, as vpxuser accounts remain exempt from lockdown mode restrictions. Threat actors are also exploiting CVE-2023-20867, a vulnerability in VMware Tools that allows unauthenticated host-to-guest command execution via the PowerCLI Invoke-VMScript cmdlet.
Fire Ant demonstrates impressive persistence capabilities through multiple backdoor deployment techniques. The group installs malicious vSphere Installation Bundles (VIBs) with acceptance levels set to “partner” and distributed using the -force flag to bypass signature validation. These rogue VIBs contain configuration files that reference binaries in the ‘/bin‘ folder and custom scripts embedded in ‘/etc/rc.local.d/’ to run at boot time.
Additionally, attackers implement a Python-based HTTP backdoor named autobackup.bin that binds to port 8888 and provides remote command execution capabilities. This malware modifies ‘/etc/rc.local.d/local.sh’ on ESXi hosts for persistent execution. To further evade detection, Fire Ant kills the vmsyslogd process, VMware’s native syslog daemon, effectively disabling both local log writing and remote log forwarding.
The threat actors demonstrate sophisticated network manipulation capabilities by compromising F5 load balancers via CVE-2022-1388 exploitation and deploying webshell to ‘ /usr/local/www/xui/common/css/css.php ‘ for network bridging. They use the Neo-reGeorg tunneling webshell on internal Java-based web servers and deploy the Medusa rootkit on Linux pivot points for credential harvesting and persistent access.
Fire Ant uses netsh portproxy commands to forward ports through trusted endpoints, effectively bypassing access control lists and firewall restrictions. The group also leverages IPv6 traffic to bypass IPv4-centric filtering rules, demonstrating in-depth knowledge of dual-stack network environments and common security gaps in organizational infrastructures.
Organizations must urgently prioritize protecting their VMware environments through comprehensive patching, advanced monitoring of hypervisor activity, and the implementation of advanced detection capabilities that go beyond traditional endpoint security solutions.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
