Chinese Cyberespionage Group 'Fire Ant' Exploits VMware, F5 Vulnerabilities
A Chinese cyberespionage group, known as Fire Ant, has been exploiting vulnerabilities in VMware and F5 products since early 2025. The group targets virtualization and networking infrastructure, primarily VMware ESXi and vCenter environments.
Fire Ant compromises networks by exploiting flaws in F5 load balancers, such as CVE-2022-1388 in the iControlREST API. They use stealthy, layered attack chains to bypass network segmentation and access restricted networks thought to be isolated.
The group starts its attack chain by exploiting critical vulnerabilities like CVE-2023-34048 in vCenter Server. They move laterally to ESXi hosts using stolen vpxuser credentials and deploy persistent backdoors. To maintain long-term access, Fire Ant deploys a variant of the open-source Medusa rootkit on key Linux pivot points. They also exploit CVE-2023-20867 to run commands without credentials and extract credentials from memory snapshots.
Fire Ant's sophisticated attacks, which involve bypassing network segmentation, exploiting VMware and F5 flaws, and deploying persistent backdoors, highlight the group's advanced capabilities. Despite not being explicitly identified, the group's activities pose significant threats to virtualized and network infrastructure.
Read also:
- West Virginia Governor's Revived Board Sparks Legal Concerns Amidst US Clean Energy Push
- Prices of transit tickets in Berlin and Brandenburg are on the rise
- Linde Wins Major Engineering Design Contract for Equinor's Low Carbon Hydrogen Project at H2H Saltend, Progressing Towards a Greener Future
- Economic Growth of Nitric Acid for Electronic Applications Anticipated to Reach 5.8% by 2034
