The campaign exhibits strong technical overlap with the previously identified UNC3886 threat group, employing critical vulnerabilities and custom malware to maintain persistent, stealthy access to organizational networks. Sygnia reports that Fire Ant’s initial attack vector leverages CVE-2023-34048, an out-of-bounds write vulnerability in vCenter Server’s DCERPC protocol implementation that enables unauthenticated remote code execution. The threat actors demonstrate sophisticated network manipulation capabilities by compromising F5 load balancers through CVE-2022-1388 exploitation, deploying webshells to ‘/usr/local/www/xui/common/css/css.php‘ for network bridging. The threat actors also exploit CVE-2023-20867, a VMware Tools vulnerability that permits unauthenticated host-to-guest command execution through PowerCLI’s Invoke-VMScript cmdlet. These unauthorized VIBs contain configuration files referencing binaries in the ‘/bin’ folder and custom scripts embedded in ‘/etc/rc.local.d/’ for startup execution. Following successful compromise, the threat actors deploy sophisticated tools, including the open-source script vCenter_GenerateLoginCookie.py, to forge authentication cookies and bypass login mechanisms. This malware modifies ‘/etc/rc.local.d/local.sh’ on ESXi hosts for persistent execution. They utilize Neo-reGeorg tunneling webshells on internal Java-based web servers and deploy the Medusa rootkit on Linux pivot points for credential harvesting and persistent access. To further evade detection, Fire Ant terminates the vmsyslogd process, VMware’s native syslog daemon, effectively disabling both local log writing and remote log forwarding. Fire Ant employs netsh portproxy commands for port forwarding through trusted endpoints, effectively bypassing access control lists and firewall restrictions. Fire Ant exploits critical VMware ESXi and vCenter flaws for undetected hypervisor-level access.
This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 25 Jul 2025 08:30:18 +0000