Tunnelling allowed lateral movement: Once inside, Fire Ant bypassed network segmentation by exploiting CVE-2022-1388 in F5 BIG-IP devices. This allowed them to deploy encrypted tunnels such as Neo-reGeorg web shells to reach isolated environments, even leveraging IPv6 to evade IPv4 filters.”The threat actor demonstrated a deep understanding of the target environment’s network architecture and policies, effectively navigating segmentation controls to reach internal, presumably isolated assets,” Sygnia said in a blog post. “By compromising network infrastructure and tunneling through trusted systems, the threat actor systematically bypassed segmentation boundaries, reached isolated networks, and established cross-segment persistence.”The attackers constantly adapted their techniques, such as altering tools, disguising files, and deploying redundant persistence backdoors, to evade detection and regain access after cleanup.Sygnia has advised organizations to patch vulnerable VMware components, rotate secure service account credentials, and enforce ESXi lockdown mode to restrict host access. It also recommends using dedicated admin jump hosts, segmenting management networks, and expanding monitoring to include vCenter, ESXi, and appliances that often lack traditional endpoint visibility.”The only way to prevent nation-state hackers and other criminals from accessing infrastructure easily is by unifying identity,” Kontsevoy added. “By unifying all identities, whether human, software, hardware, or AI, companies can gain a single source of truth and complete visibility into how identities enter and move through their systems.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4029545/chinese-fire-ant-spies-start-to-bite-unpatched-vmware-instances.html
