{"id":10433,"date":"2025-07-25T12:32:08","date_gmt":"2025-07-25T05:32:08","guid":{"rendered":"https:\/\/infosec.new88088.net\/?p=10433"},"modified":"2026-02-05T12:32:19","modified_gmt":"2026-02-05T05:32:19","slug":"nhom-hacker-fire-ant-khai-thac-lo-hong-vmware-tan-cong-esxi-va-moi-truong-vcenter","status":"publish","type":"post","link":"https:\/\/infosec.new88088.net\/2025\/07\/25\/nhom-hacker-fire-ant-khai-thac-lo-hong-vmware-tan-cong-esxi-va-moi-truong-vcenter\/","title":{"rendered":"Nh\u00f3m hacker Fire Ant khai th\u00e1c l\u1ed7 h\u1ed5ng VMware t\u1ea5n c\u00f4ng ESXi v\u00e0 m\u00f4i tr\u01b0\u1eddng vCenter"},"content":{"rendered":"<div style=\"text-align: justify\"><b>M\u1ed9t chi\u1ebfn d\u1ecbch gi\u00e1n \u0111i\u1ec7p m\u1ea1ng v\u1edbi m\u1ee9c \u0111\u1ed9 tinh vi cao v\u00e0 \u00e2m th\u1ea7m \u0111\u00e3 \u0111\u01b0\u1ee3c ph\u00e1t hi\u1ec7n \u0111ang nh\u1eafm v\u00e0o h\u1ea1 t\u1ea7ng \u1ea3o h\u00f3a v\u00e0 thi\u1ebft b\u1ecb m\u1ea1ng quan tr\u1ecdng. Nh\u00f3m t\u1ea5n c\u00f4ng c\u00f3 t\u00ean &#8220;Fire Ant&#8221;, \u0111\u01b0\u1ee3c cho l\u00e0 c\u00f3 li\u00ean quan \u0111\u1ebfn UNC3886 (nh\u00f3m tin t\u1eb7c c\u00f3 li\u00ean h\u1ec7 v\u1edbi Trung Qu\u1ed1c) \u0111\u00e3 \u00e2m th\u1ea7m th\u00e2m nh\u1eadp v\u00e0o c\u00e1c h\u1ec7 th\u1ed1ng s\u1eed d\u1ee5ng VMware ESXi v\u00e0 vCenter Server, hai th\u00e0nh ph\u1ea7n c\u1ed1t l\u00f5i trong c\u00e1c h\u1ea1 t\u1ea7ng \u1ea3o h\u00f3a hi\u1ec7n \u0111\u1ea1i.<\/b><br \/>\n\u200b<\/div>\n<div style=\"text-align: center\"><a class=\"js-lbImage\" style=\"cursor: pointer\" href=\"https:\/\/whitehat.vn\/attachments\/vmware-vcentre-png.17369\/\" target=\"_blank\" rel=\"noopener\" data-lb-sidebar-href=\"\" data-lb-caption-extra-html=\"\" data-fancybox=\"lb-thread-18602\" data-caption=\"&lt;h4&gt;Vmware Vcentre.png&lt;\/h4&gt;&lt;p&gt;&lt;a href=&quot;https:&amp;#x2F;&amp;#x2F;whitehat.vn&amp;#x2F;threads&amp;#x2F;nhom-hacker-fire-ant-khai-thac-lo-hong-vmware-tan-cong-esxi-va-moi-truong-vcenter.18602&amp;#x2F;#post-44111&quot; class=&quot;js-lightboxCloser&quot;&gt;WhiteHat Team \u00b7 25&amp;#x2F;07&amp;#x2F;2025 l\u00fac 4:08 PM&lt;\/a&gt;&lt;\/p&gt;\"><img fetchpriority=\"high\" decoding=\"async\" class=\"bbImage \" title=\"Vmware Vcentre.png\" src=\"https:\/\/whitehat.vn\/data\/attachments\/17\/17704-38d7dd3c8459c24d0b5322d20d5db45a.jpg\" alt=\"Vmware Vcentre.png\" width=\"712\" height=\"400\" \/><\/a>\u200b<\/div>\n<div style=\"text-align: justify\">\nFire Ant l\u00e0 m\u00e3 \u0111\u1ecbnh danh t\u1ea1m \u0111\u1eb7t cho nh\u00f3m hacker \u0111\u01b0\u1ee3c cho l\u00e0 c\u00f3 li\u00ean h\u1ec7 v\u1edbi UNC3886. \u0110i\u1ec3m chung gi\u1eefa hai nh\u00f3m l\u00e0 \u0111\u1ec1u s\u1eed d\u1ee5ng c\u00e1c c\u00f4ng c\u1ee5 v\u00e0 k\u1ef9 thu\u1eadt gi\u1ed1ng nhau, nh\u1eafm v\u00e0o c\u00e1c t\u00e0i s\u1ea3n n\u1eb1m ngo\u00e0i ph\u1ea1m vi b\u1ea3o v\u1ec7 c\u1ee7a c\u00e1c ph\u1ea7n m\u1ec1m b\u1ea3o m\u1eadt truy\u1ec1n th\u1ed1ng.<\/p>\n<p>Cu\u1ed9c t\u1ea5n c\u00f4ng kh\u00f4ng ch\u1ec9 nh\u1eb1m l\u1ea5y c\u1eafp th\u00f4ng tin m\u00e0 c\u00f2n c\u00f3 th\u1ec3 g\u00e2y m\u1ea5t ki\u1ec3m so\u00e1t ho\u00e0n to\u00e0n h\u1ec7 th\u1ed1ng, \u0111\u1eb7c bi\u1ec7t l\u00e0 c\u00e1c h\u1ec7 th\u1ed1ng tr\u1ecdng y\u1ebfu \u0111ang b\u1ecb &#8220;b\u1ecf r\u01a1i&#8221; trong chi\u1ebfn l\u01b0\u1ee3c b\u1ea3o m\u1eadt hi\u1ec7n nay.<\/p>\n<p>Fire Ant t\u1eadp trung t\u1ea5n c\u00f4ng v\u00e0o:\u200b<\/p><\/div>\n<ul>\n<li data-xf-list-type=\"ul\">\n<div style=\"text-align: justify\">VMware ESXi v\u00e0 vCenter Server (h\u1ec7 th\u1ed1ng qu\u1ea3n l\u00fd m\u00e1y \u1ea3o)\u200b<\/div>\n<\/li>\n<li data-xf-list-type=\"ul\">\n<div style=\"text-align: justify\">Thi\u1ebft b\u1ecb m\u1ea1ng nh\u01b0 F5 load balancer\u200b<\/div>\n<\/li>\n<li data-xf-list-type=\"ul\">\n<div style=\"text-align: justify\">C\u00e1c m\u00f4i tr\u01b0\u1eddng \u0111\u01b0\u1ee3c cho l\u00e0 &#8220;c\u00f4 l\u1eadp&#8221;, kh\u00f4ng k\u1ebft n\u1ed1i m\u1ea1ng c\u00f4ng c\u1ed9ng\u200b<\/div>\n<\/li>\n<\/ul>\n<div style=\"text-align: justify\">Nh\u1eefng h\u1ec7 th\u1ed1ng n\u00e0y th\u01b0\u1eddng \u00edt \u0111\u01b0\u1ee3c gi\u00e1m s\u00e1t an ninh s\u00e1t sao, \u00edt nh\u1eadt k\u00fd gi\u00e1m s\u00e1t v\u00e0 th\u01b0\u1eddng kh\u00f4ng c\u00f3 ph\u1ea7n m\u1ec1m ch\u1ed1ng virus.<br \/>\nC\u00e1c l\u1ed7 h\u1ed5ng b\u1ecb khai th\u00e1c:\u200b<\/div>\n<ul>\n<li data-xf-list-type=\"ul\">\n<div style=\"text-align: justify\">CVE-2023-34048: L\u1ed7 h\u1ed5ng trong VMware vCenter Server, cho ph\u00e9p truy c\u1eadp t\u1eeb xa.\u200b<\/div>\n<\/li>\n<li data-xf-list-type=\"ul\">\n<div style=\"text-align: justify\">CVE-2023-20867: L\u1ed7 h\u1ed5ng trong VMware Tools, cho ph\u00e9p can thi\u1ec7p tr\u1ef1c ti\u1ebfp v\u00e0o m\u00e1y \u1ea3o \u0111ang ch\u1ea1y.\u200b<\/div>\n<\/li>\n<\/ul>\n<div style=\"text-align: justify\">\u0110\u00e1ng ch\u00fa \u00fd, UNC3886 \u0111\u00e3 t\u1eebng khai th\u00e1c CVE-2023-34048 t\u1eeb khi n\u00f3 c\u00f2n l\u00e0 l\u1ed7 h\u1ed5ng zero-day, tr\u01b0\u1edbc khi \u0111\u01b0\u1ee3c Broadcom v\u00e1 v\u00e0o th\u00e1ng 10\/2023.<\/p>\n<p>Fire Ant s\u1eed d\u1ee5ng chu\u1ed7i t\u1ea5n c\u00f4ng nhi\u1ec1u l\u1edbp (kill chain) v\u1edbi c\u00e1c k\u1ef9 thu\u1eadt ph\u1ee9c t\u1ea1p:\u200b<\/p><\/div>\n<ul>\n<li data-xf-list-type=\"ul\">\n<div style=\"text-align: justify\">C\u00e0i backdoor dai d\u1eb3ng (ki\u1ec3u \u201cVIRTUALPITA\u201d) v\u00e0o c\u1ea3 ESXi v\u00e0 vCenter, t\u1ed3n t\u1ea1i qua c\u00e1c l\u1ea7n kh\u1edfi \u0111\u1ed9ng l\u1ea1i h\u1ec7 th\u1ed1ng.\u200b<\/div>\n<\/li>\n<li data-xf-list-type=\"ul\">\n<div style=\"text-align: justify\">S\u1eed d\u1ee5ng implant Python \u0111\u1ec3 th\u1ef1c thi l\u1ec7nh t\u1eeb xa v\u00e0 g\u1eedi\/nh\u1eadn t\u1eadp tin.\u200b<\/div>\n<\/li>\n<li data-xf-list-type=\"ul\">\n<div style=\"text-align: justify\">Khai th\u00e1c l\u1ed7 h\u1ed5ng VMware Tools \u0111\u1ec3 thao t\u00fang m\u00e1y \u1ea3o t\u1eeb hypervisor.\u200b<\/div>\n<\/li>\n<li data-xf-list-type=\"ul\">\n<div style=\"text-align: justify\">Ch\u1eb7n v\u00e0 x\u00f3a log h\u1ec7 th\u1ed1ng b\u1eb1ng c\u00e1ch t\u1eaft d\u1ecbch v\u1ee5 ghi log vmsyslogd, khi\u1ebfn vi\u1ec7c gi\u00e1m s\u00e1t v\u00e0 ph\u00e2n t\u00edch sau t\u1ea5n c\u00f4ng tr\u1edf n\u00ean v\u00f4 ngh\u0129a.\u200b<\/div>\n<\/li>\n<li data-xf-list-type=\"ul\">\n<div style=\"text-align: justify\">T\u1ea1o m\u00e1y \u1ea3o gi\u1ea3 m\u1ea1o kh\u00f4ng \u0111\u0103ng k\u00fd nh\u1eb1m tr\u00e1nh ph\u00e1t hi\u1ec7n.\u200b<\/div>\n<\/li>\n<li data-xf-list-type=\"ul\">\n<div style=\"text-align: justify\">T\u1ea1o \u0111\u01b0\u1eddng h\u1ea7m m\u1ea1ng (V2Ray) \u0111\u1ec3 v\u01b0\u1ee3t qua r\u00e0o c\u1ea3n ph\u00e2n \u0111o\u1ea1n m\u1ea1ng v\u00e0 duy tr\u00ec quy\u1ec1n truy c\u1eadp.\u200b<\/div>\n<\/li>\n<\/ul>\n<div style=\"text-align: justify\">M\u1ee9c \u0111\u1ed9 \u1ea3nh h\u01b0\u1edfng v\u00e0 h\u1ec7 qu\u1ea3\u200b<\/div>\n<ul>\n<li data-xf-list-type=\"ul\">\n<div style=\"text-align: justify\">C\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng \u0111ang di\u1ec5n ra tr\u00ean to\u00e0n c\u1ea7u, kh\u00f4ng ch\u1ec9 \u1edf khu v\u1ef1c ch\u00e2u \u00c1 &#8211; Th\u00e1i B\u00ecnh D\u01b0\u01a1ng.\u200b<\/div>\n<\/li>\n<li data-xf-list-type=\"ul\">\n<div style=\"text-align: justify\">M\u1ee5c ti\u00eau l\u00e0 c\u00e1c t\u1ed5 ch\u1ee9c v\u1eadn h\u00e0nh h\u1ea1 t\u1ea7ng quan tr\u1ecdng, c\u00f3 gi\u00e1 tr\u1ecb chi\u1ebfn l\u01b0\u1ee3c v\u1ec1 kinh t\u1ebf v\u00e0 an ninh.\u200b<\/div>\n<\/li>\n<li data-xf-list-type=\"ul\">\n<div style=\"text-align: justify\">Singapore g\u1ea7n \u0111\u00e2y \u0111\u00e3 ch\u00ednh th\u1ee9c c\u00e1o bu\u1ed9c UNC3886 li\u00ean quan \u0111\u1ebfn c\u00e1c v\u1ee5 t\u1ea5n c\u00f4ng v\u00e0o h\u1ea1 t\u1ea7ng tr\u1ecdng y\u1ebfu qu\u1ed1c gia, \u1ea3nh h\u01b0\u1edfng \u0111\u1ebfn c\u00e1c d\u1ecbch v\u1ee5 thi\u1ebft y\u1ebfu.\u200b<\/div>\n<\/li>\n<li data-xf-list-type=\"ul\">\n<div style=\"text-align: justify\">Nguy c\u01a1 ti\u1ec1m \u1ea9n: Hacker c\u00f3 th\u1ec3 truy c\u1eadp v\u00e0o to\u00e0n b\u1ed9 h\u1ec7 th\u1ed1ng m\u1ea1ng n\u1ed9i b\u1ed9, v\u01b0\u1ee3t qua m\u1ecdi r\u00e0o ch\u1eafn n\u1ebfu m\u1ed9t l\u1ed7 h\u1ed5ng duy nh\u1ea5t b\u1ecb khai th\u00e1c.\u200b<\/div>\n<\/li>\n<\/ul>\n<div style=\"text-align: justify\">Chi\u1ebfn d\u1ecbch c\u1ee7a Fire Ant l\u00e0 l\u1eddi c\u1ea3nh t\u1ec9nh nghi\u00eam tr\u1ecdng v\u1ec1 l\u1ed7 h\u1ed5ng trong ch\u00ednh t\u01b0 duy b\u1ea3o m\u1eadt hi\u1ec7n nay, khi h\u1ec7 th\u1ed1ng h\u1ea1 t\u1ea7ng v\u00e0 thi\u1ebft b\u1ecb m\u1ea1ng tr\u1ecdng y\u1ebfu b\u1ecb b\u1ecf qu\u00ean trong c\u00e1c chi\u1ebfn l\u01b0\u1ee3c ph\u00e1t hi\u1ec7n, ph\u1ea3n \u1ee9ng s\u1ef1 c\u1ed1. Vi\u1ec7c ch\u1ec9 t\u1eadp trung v\u00e0o m\u00e1y ng\u01b0\u1eddi d\u00f9ng (endpoint) kh\u00f4ng c\u00f2n \u0111\u1ee7.<\/p>\n<p>Gi\u1ea3i ph\u00e1p b\u1ea3o m\u1eadt \u0111\u01b0\u1ee3c c\u00e1c chuy\u00ean gia khuy\u1ebfn ngh\u1ecb:\u200b<\/p><\/div>\n<ul>\n<li data-xf-list-type=\"ul\">\n<div style=\"text-align: justify\">C\u1eadp nh\u1eadt ngay l\u1eadp t\u1ee9c t\u1ea5t c\u1ea3 c\u00e1c b\u1ea3n v\u00e1 b\u1ea3o m\u1eadt cho VMware vCenter, ESXi v\u00e0 VMware Tools.\u200b<\/div>\n<\/li>\n<li data-xf-list-type=\"ul\">\n<div style=\"text-align: justify\">Gi\u00e1m s\u00e1t v\u00e0 thu th\u1eadp log \u0111\u1ea7y \u0111\u1ee7 cho h\u1ec7 th\u1ed1ng \u1ea3o h\u00f3a \u2013 kh\u00f4ng \u0111\u01b0\u1ee3c \u0111\u1ec3 tr\u1ed1ng ho\u1eb7c kh\u00f4ng l\u01b0u log.\u200b<\/div>\n<\/li>\n<li data-xf-list-type=\"ul\">\n<div style=\"text-align: justify\">Tri\u1ec3n khai gi\u00e1m s\u00e1t b\u1ea3o m\u1eadt \u1edf t\u1ea7ng \u1ea3o h\u00f3a (hypervisor visibility), d\u00f9ng c\u00e1c gi\u1ea3i ph\u00e1p chuy\u00ean bi\u1ec7t n\u1ebfu c\u1ea7n.\u200b<\/div>\n<\/li>\n<li data-xf-list-type=\"ul\">\n<div style=\"text-align: justify\">Ki\u1ec3m tra v\u00e0 theo d\u00f5i truy c\u1eadp \u0111\u1eb7c quy\u1ec1n (privileged accounts) nh\u01b0 vpxuser.\u200b<\/div>\n<\/li>\n<li data-xf-list-type=\"ul\">\n<div style=\"text-align: justify\">T\u00e1i \u0111\u00e1nh gi\u00e1 ph\u00e2n \u0111o\u1ea1n m\u1ea1ng, h\u1ea1n ch\u1ebf truy c\u1eadp gi\u1eefa c\u00e1c v\u00f9ng m\u1ea1ng nh\u1ea1y c\u1ea3m.\u200b<\/div>\n<\/li>\n<li data-xf-list-type=\"ul\">\n<div style=\"text-align: justify\">T\u0103ng c\u01b0\u1eddng ki\u1ec3m tra m\u00e1y \u1ea3o m\u1edbi, ng\u0103n ch\u1eb7n vi\u1ec7c tri\u1ec3n khai m\u00e1y l\u1ea1 kh\u00f4ng ki\u1ec3m so\u00e1t.\u200b<\/div>\n<\/li>\n<\/ul>\n<div style=\"text-align: justify\">Chi\u1ebfn d\u1ecbch Fire Ant cho th\u1ea5y m\u1ed9t th\u1ebf h\u1ec7 t\u1ea5n c\u00f4ng m\u1edbi \u0111\u00e3 xu\u1ea5t hi\u1ec7n, t\u1eadp trung v\u00e0o c\u00e1c l\u1edbp h\u1ea1 t\u1ea7ng \u00edt \u0111\u01b0\u1ee3c ch\u00fa \u00fd, s\u1eed d\u1ee5ng k\u1ef9 thu\u1eadt v\u01b0\u1ee3t tr\u1ed9i v\u00e0 ho\u1ea1t \u0111\u1ed9ng \u00e2m th\u1ea7m l\u00e2u d\u00e0i. B\u1ea3o m\u1eadt ng\u00e0y nay kh\u00f4ng c\u00f2n l\u00e0 chuy\u1ec7n &#8220;ch\u1ed1ng virus&#8221; m\u00e0 c\u00f2n l\u00e0 cu\u1ed9c \u0111ua gi\u1eefa s\u1ef1 hi\u1ec3u bi\u1ebft h\u1ec7 th\u1ed1ng v\u00e0 kh\u1ea3 n\u0103ng ph\u00e1t hi\u1ec7n h\u00e0nh vi b\u1ea5t th\u01b0\u1eddng.\u200b<\/div>\n<div style=\"text-align: right\"><b><i>WhiteHat, The Hacker News<\/i><\/b>\u200b<\/div>\n<div style=\"text-align: right;margin-top: 16px\"><i>Theo: <a href=\"https:\/\/whitehat.vn\/threads\/nhom-hacker-fire-ant-khai-thac-lo-hong-vmware-tan-cong-esxi-va-moi-truong-vcenter.18602\/\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/whitehat.vn\/threads\/nhom-hacker-fire-ant-khai-thac-lo-hong-vmware-tan-cong-esxi-va-moi-truong-vcenter.18602\/<\/a><\/i><\/div>\n","protected":false},"excerpt":{"rendered":"<p>M\u1ed9t chi\u1ebfn d\u1ecbch gi\u00e1n \u0111i\u1ec7p m\u1ea1ng v\u1edbi m\u1ee9c \u0111\u1ed9 tinh vi cao v\u00e0 \u00e2m th\u1ea7m \u0111\u00e3 \u0111\u01b0\u1ee3c ph\u00e1t hi\u1ec7n \u0111ang nh\u1eafm v\u00e0o h\u1ea1 t\u1ea7ng \u1ea3o h\u00f3a v\u00e0 thi\u1ebft b\u1ecb m\u1ea1ng quan tr\u1ecdng. Nh\u00f3m t\u1ea5n c\u00f4ng c\u00f3 t\u00ean &#8220;Fire Ant&#8221;, \u0111\u01b0\u1ee3c cho l\u00e0 c\u00f3 li\u00ean quan \u0111\u1ebfn UNC3886 (nh\u00f3m tin t\u1eb7c c\u00f3 li\u00ean h\u1ec7 v\u1edbi Trung [&hellip;]<\/p>\n","protected":false},"author":46,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[33],"tags":[],"class_list":["post-10433","post","type-post","status-publish","format-standard","hentry","category-tin-tuc-cua-vien"],"_links":{"self":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/posts\/10433","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/users\/46"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/comments?post=10433"}],"version-history":[{"count":0,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/posts\/10433\/revisions"}],"wp:attachment":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/media?parent=10433"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/categories?post=10433"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/tags?post=10433"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}