Fire Ant, a savvy cybercriminal threat actor, has been observed both compromising and spreading laterally within organizations’ VMware ESXi and vCenter environments this year. This infiltration includes more and more network appliances, raising attacks against this important critical infrastructure around the world to a very serious level. Security experts previously tied Fire Ant’s actions to advanced tactics in order to exploit vulnerabilities. This announcement was met with anxiety from the cybersecurity community.
The security firm Sygnia has released a detailed report documenting Fire Ant’s operations, highlighting its strategic focus on compromising infrastructure systems. Fire Ant uses techniques that circumvent network segmentation defenses, including through the exploitation of CVE-2022-1388 to gain access to and exploit F5 load balancers. This attack pattern allows the threat actor to have persistent and clandestine access from hypervisors to guest operating systems.
Techniques and Tactics
Fire Ant combines two persistent and stealthy tactics to break into the networks of targeted organizations. One of its central purposes is to make dropping the V2Ray framework easier, simplifying guest network tunneling. Fire Ant takes an interesting approach to building cross-segment persistence. It can deploy web shells that serve as footholds into different areas of the network.
Further, the threat actor directly deploys unregistered virtual machines on multiple ESXi hosts. This method not only avoids detection, but makes incident response attempts much more difficult. Fire Ant is a marvel of operational maneuverability. It adjusts dynamically to the eradication and containment efforts imposed by organizations targeted.
“The attacker demonstrated a high degree of persistence and operational maneuverability, operating through eradication efforts, adapting in real time to eradication and containment actions to maintain access to the compromise infrastructure.” – Sygnia
Collectively, these tactics create elaborate attack chains. They allow safe access to secured and segmented network resources across environments previously believed to be air gapped. Payload renaming The ability to rename payloads to impersonate forensic tools or other benign files introduced another level of complexity, making remediation efforts even more complicated.
The Broader Implications
Fire Ant’s activities have developed in response to increasing threats from nation state and non-nation state cyber actors. This is particularly the case for entities with ties to China. In Singapore, officials have pointed to UNC3886 as another serious threat actor undermining national security through cyber attacks targeted at local critical infrastructure.
Yoav Mazor, Head of Incident Response at Sygnia, raised alarm about the existential risk underlying Fire Ant’s activities. These hazards reach far beyond local or even state lines. He stated, “In addition to the recent context of the attribution disclosed by Singapore’s minister of national security, we can highlight that the group’s activity poses risks to critical infrastructure that extend beyond the regional borders of Singapore and the APJ region.”
The targeting of network edge devices has become an alarming trend over the last couple of years. Cybersecurity analysts have pointed out that standard endpoint security tools sometimes don’t do a great job detecting such advanced attacks.
“This campaign underscores the importance of visibility and detection within the hypervisor and infrastructure layer, where traditional endpoint security tools are ineffective.” – Sygnia
Fire Ant frequently aims at infrastructure systems that are often not built into baseline detection and response capabilities. These targets have insufficient detection capabilities and produce little telemetry, creating perfect sustained in-country footholds for stealthy adversarial operations.