China-Linked Fire Ant Group Exploits VMware, F5 Vulnerabilities in Sophisticated Cyberespionage Campaign
A China-linked cyberespionage group, dubbed Fire Ant, has been exploiting vulnerabilities in VMware and F5 systems since early 2025. The group's tactics align with previous research on UNC3886, showcasing strong resilience and stealthy techniques.
Fire Ant's campaign involves exploiting critical vulnerabilities, such as CVE-2023-34048 in vCenter Server, for unauthenticated remote code execution. The group gained deep control over VMware ESXi and vCenter servers using unauthenticated host-to-guest commands and credential theft. They also compromised F5 load balancers by exploiting the flaw CVE-2022-1388 in the iControlREST API.
To evade detection, Fire Ant deploys a variant of the open-source Medusa rootkit for stealthy persistence on key Linux pivot points. The group shows remarkable resistance to removal, adapting tools and disguising malware as forensic tools. Fire Ant uses stealthy, layered attack chains to access restricted networks thought to be isolated, bypassing network segmentation by compromising appliances and tunneling through legitimate paths.
Fire Ant's exploitation of VMware and F5 vulnerabilities highlights the group's sophistication and determination. Their ability to gain deep control over systems and adapt to evade detection poses a significant threat to secure networks. Organizations are urged to patch affected systems and enhance their security measures to protect against such targeted attacks.
Read also:
- Web3 social arcade extends Pixelverse's tap-to-earn feature beyond Telegram to Base and Farcaster platforms.
- Germany's Customs Uncovers Wage, Immigration Violations in Hotel Industry
- Thriving once more: recovery of the gaming sector's downfall
- FKS Inspections Uncover Wage, Security, and Employment Violations in Hotel and Catering Industry
