China-Linked Cyber Espionage Targets MITRE Network: ROOTROT Webshell Exploited

May 7, 2024

MITRE Corporation has released additional information about a cyber attack that was first detected in late December 2023. The attack targeted the company's Networked Experimentation, Research, and Virtualization Environment (NERVE) and exploited two Ivanti Connect Secure zero-day vulnerabilities, identified as CVE-2023–46805 and CVE-2024–21887.

The attackers gained access to the research network via VMware infrastructure using a compromised administrator account. They then used a combination of backdoors and web shells to maintain a presence in the network and collect credentials. The earliest signs of intrusion date back to late December 2023, when the attackers deployed a Perl-based web shell called ROOTROT for initial access.

ROOTROT, identified by Google-owned Mandiant, is incorporated into a legitimate Connect Secure .ttc file and is linked to a China-nexus cyber espionage cluster known as UNC5221. This group is also associated with other web shells including BUSHWALK, CHAINLINE, FRAMESTING, and LIGHTWIRE. Following the deployment of the web shell, the attackers profiled the NERVE environment and established communication with multiple ESXi hosts, gaining control over MITRE's VMware infrastructure.

They then deployed a Golang backdoor called BRICKSTORM and a previously undocumented web shell known as BEEFLUSH, which allowed them to execute arbitrary commands and communicate with command-and-control servers. As MITRE researcher Lex Crumpton explained, "These actions established persistent access and allowed the adversary to execute arbitrary commands and communicate with command-and-control servers."

The attackers used techniques such as SSH manipulation and execution of suspicious scripts to maintain control over the compromised systems. They also deployed another web shell known as WIREFIRE (aka GIFTEDVISITOR) a day after the public disclosure of the twin flaws on January 11, 2024, to facilitate covert communication and data exfiltration.

In addition to using the BUSHWALK web shell for transmitting data from the NERVE network to command-and-control infrastructure on January 19, 2024, the attackers attempted lateral movement and maintained persistence within NERVE from February to mid-March. However, they were unsuccessful in their attempts to move laterally into MITRE systems.

Related News

• MITRE Corporation's Network Breached by State-Backed Hackers Using Ivanti Zero-Days
• Ivanti Patches High-Risk Vulnerabilities in VPN Gateways
• CISA Systems Compromised Through Ivanti Vulnerabilities, Prompting System Shutdown
• Magnet Goblin Exploits 1-Day Vulnerabilities with New Linux Variant of NerbianRAT Malware
• US CISA Systems Breached: Cybersecurity Measures Under Review

Latest News

• Citrix Resolves High-Risk Flaw in NetScaler Servers Similar to Past CitrixBleed Vulnerability
• Critical Vulnerability in Tinyproxy Exposes Over 50,000 Hosts to Risk of Remote Code Execution
• China-Linked Actors Suspected in ArcaneDoor Cyber Espionage Targeting Network Devices
• NATO and EU Condemn APT28's Cyber Espionage Operations
• Goldoon Botnet Exploits Old D-Link Router Vulnerability for Further Attacks