China-Linked Cyber Espionage Targets MITRE Network: ROOTROT Webshell Exploited

May 7, 2024

MITRE Corporation has released additional information about a cyber attack that was first detected in late December 2023. The attack targeted the company's Networked Experimentation, Research, and Virtualization Environment (NERVE) and exploited two Ivanti Connect Secure zero-day vulnerabilities, identified as CVE-2023–46805 and CVE-2024–21887.

The attackers gained access to the research network via VMware infrastructure using a compromised administrator account. They then used a combination of backdoors and web shells to maintain a presence in the network and collect credentials. The earliest signs of intrusion date back to late December 2023, when the attackers deployed a Perl-based web shell called ROOTROT for initial access.

ROOTROT, identified by Google-owned Mandiant, is incorporated into a legitimate Connect Secure .ttc file and is linked to a China-nexus cyber espionage cluster known as UNC5221. This group is also associated with other web shells including BUSHWALK, CHAINLINE, FRAMESTING, and LIGHTWIRE. Following the deployment of the web shell, the attackers profiled the NERVE environment and established communication with multiple ESXi hosts, gaining control over MITRE's VMware infrastructure.

They then deployed a Golang backdoor called BRICKSTORM and a previously undocumented web shell known as BEEFLUSH, which allowed them to execute arbitrary commands and communicate with command-and-control servers. As MITRE researcher Lex Crumpton explained, "These actions established persistent access and allowed the adversary to execute arbitrary commands and communicate with command-and-control servers."

The attackers used techniques such as SSH manipulation and execution of suspicious scripts to maintain control over the compromised systems. They also deployed another web shell known as WIREFIRE (aka GIFTEDVISITOR) a day after the public disclosure of the twin flaws on January 11, 2024, to facilitate covert communication and data exfiltration.

In addition to using the BUSHWALK web shell for transmitting data from the NERVE network to command-and-control infrastructure on January 19, 2024, the attackers attempted lateral movement and maintained persistence within NERVE from February to mid-March. However, they were unsuccessful in their attempts to move laterally into MITRE systems.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.