UNC3944 and Fire Ant’s Assault on VMware Infrastructure

UNC3944 and Fire Ant campaigns represent highly sophisticated, hypervisor-level intrusions targeting VMware vSphere, ESXi, and vCenter. These adversaries bypass traditional security controls, deploy stealthy persistence mechanisms, and escalate privileges via social engineering or exploitation of vulnerabilities. The campaigns represent both financially-motivated (UNC3944) and espionage-focused (Fire Ant) threats targeting infrastructure layers where visibility is often weak.

Severity Level: High

Threat Details

1. UNC3944 – “From Help Desk to Hypervisor”

• Initial Access: Phone-based social engineering to reset Active Directory (AD) credentials.
• Privilege Escalation: Impersonates privileged vSphere Admins, resets their credentials.
• Pivot to vCenter: Logs into vCenter GUI → reboot VCSA → modify GRUB bootloader to gain root shell.
• Persistence: Deploys Teleport backdoor and SSH access.
• Hypervisor Compromise:
  • Enables SSH on ESXi hosts.
  • Resets root passwords.
  • Exfiltrates .vmdk from Domain Controllers.
• Backup Destruction: Deletes Veeam snapshots and repositories.
• Ransomware Deployment: Encrypts VMs using ESXi tools (vim-cmd), launched via SSH shell.

2. Fire Ant – “Hypervisor-Level Espionage”

• Initial Access: Exploits CVE-2023-34048 on vCenter for unauthenticated RCE.
• Credential Harvesting: Extracts vpxuser credentials (bypasses lockdown mode).
• Persistence on vCenter:
  • Deploys ksmd backdoor (port 7475).
  • Installs unsigned vSphere Installation Bundles (VIBs) and modifies local.sh.
• Lateral Movement:
  • Uses VIBs and PowerCLI to interact with Guest VMs (via CVE-2023-20867).
  • Executes remote commands via vmtoolsd.exe.
• Guest Access & Evasion:
  • Dumps credentials via memory snapshots using Volatility-based tools.
  • Disables syslog with vmsyslogd kill.
  • Spawns rogue VMs (/bin/vmx -x) invisible to vCenter.
• Network Tunneling & Resilience:
  • Installs V2Ray tunnels, Neo-reGeorg webshells.
  • Deploys Medusa rootkit on Linux pivot points.
  • Exploits F5 (CVE-2022-1388) to bridge segmented networks.

Affected Regions

• UNC3944: Primarily North America (U.S. retail, airlines)
• Fire Ant: Global, with emphasis on Asia, Middle East, and North America (inferred via infrastructure and overlap with UNC3886)

Affected Sectors

• UNC3944: Retail, Airlines, Transportation, Insurance
• Fire Ant: Telecommunications, Critical Infrastructure, Government, Cloud Providers, Tech firms

Recommendations

1. Correlate password reset events (AD Event ID 4724) with help desk logs or ticket IDs to identify socially engineered resets, especially for Tier-0 accounts like Domain Admins or vSphere Admins.
2. Alert on AD group modifications (Event IDs 4728/4732) for sensitive groups such as “vSphere Admins” or “ESX Admins”, particularly when performed by unexpected or newly created users.
3. Monitor for command-line activity involving wsmprovhost.exe launching tools like net.exe, whoami, or powershell.exe – an indicator of remote execution via WinRM.
4. Trigger alerts on suspicious vCenter console reboots followed by GRUB modifications (e.g., init=/bin/bash) which indicate boot-time shell access attempts.
5. Watch for SSH enablement and root password changes on ESXi hosts, particularly when initiated from vCenter or unrecognized jump hosts.
6. Detect creation and mounting of .vmdk files to secondary VMs, especially involving orphaned or decommissioned VMs – a sign of offline credential theft.
7. Track deletion of backup jobs or repositories in Veeam logs, combined with logon events from privileged accounts not usually tied to backup administration.
8. Flag mass VM shutdown commands via vim-cmd vmsvc/power.off followed by execution of binaries from /tmp/ or similar directories on ESXi.
9. Alert when execInstalledOnly setting is disabled on ESXi (esxcli system settings kernel set) – critical control bypass indicating possible malware execution.
10. Alert on vCenter crashes tied to vmdird process and unauthorized remote login attempts – potential exploitation of CVE-2023-34048.
11. Monitor for vCenter cookie-based logins without corresponding authentication events, which may indicate forged session cookies (e.g., abuse of vCenter_GenerateLoginCookie.py).
12. Detect use of Invoke-VMScript from PowerCLI where the parent process of cmd.exe or powershell.exe is vmtoolsd.exe, signaling unauthenticated guest command execution (CVE-2023-20867).
13. Trigger alerts for snapshot creation (vim-cmd vmsvc/snapshot.create) and .vmem file access followed by execution of tools like UpdateApp, indicative of memory-based credential dumping.
14. Monitor for termination of vmsyslogd process on ESXi hosts, which disables logging – treat any sudden absence of syslog data from ESXi as a critical alert.
15. Identify execution of unknown ELF binaries like ksmd, tools, update, or any new files in /bin, /tmp, /scratch directories – these are typically static environments.
16. Alert on rogue VMs launched via /bin/vmx -x as this bypasses vCenter’s inventory and may indicate attacker-controlled hidden VMs.
17. Detect port forwarding activity using netsh portproxy commands on workstations or servers bridging segmented networks.
18. Monitor for VIB installations using esxcli software vib install – force and verify the acceptance level – anything outside ‘VMwareCertified’ is suspect.
19. Log access to local.sh or rc.local.d/ directories on ESXi hosts and track if custom startup scripts are modified to launch backdoors (e.g., autobackup.bin).

Source:

• https://www.sygnia.co/blog/fire-ant-a-deep-dive-into-hypervisor-level-espionage/
• https://cloud.google.com/blog/topics/threat-intelligence/defending-vsphere-from-unc3944

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.