MITRE Corporation Cyber Attack: Hackers Utilize Rogue VMs to Evade Detection

May 24, 2024

MITRE Corporation, a not-for-profit company, recently suffered a cyber attack in late December 2023, where the attackers exploited zero-day vulnerabilities in Ivanti Connect Secure (ICS). The hackers created rogue virtual machines (VMs) within the company's VMware environment, a move aimed at avoiding detection and maintaining persistent access. According to MITRE researchers Lex Crumpton and Charles Clancy, the adversary leveraged compromised vCenter Server access to create their rogue VMs. "The adversary created their own rogue VMs within the VMware environment, leveraging compromised vCenter Server access," they said. The hackers deployed a JSP web shell (BEEFLUSH) under the vCenter Server's Tomcat server to execute a Python-based tunneling tool, which facilitated SSH connections between the rogue VMs and the ESXi hypervisor infrastructure.

The attack was first unveiled last month when MITRE disclosed that a China-linked threat actor, known as UNC5221, had breached its Networked Experimentation, Research, and Virtualization Environment (NERVE). The breach was accomplished by exploiting two ICS flaws, CVE-2023-46805 and CVE-2024-21887. After bypassing multi-factor authentication and securing an initial foothold, the threat actor moved laterally across the network, taking control of the VMware infrastructure using a compromised administrator account. This allowed them to deploy various backdoors and web shells to retain access and harvest credentials. These included a Golang-based backdoor named BRICKSTORM present within the rogue VMs and two web shells, BEEFLUSH and BUSHWALK, which enabled UNC5221 to execute arbitrary commands and communicate with command-and-control servers.

MITRE also revealed that the adversary used a default VMware account, VPXUSER, to make API calls that listed mounted and unmounted drives. The organization emphasized the challenge of detecting and managing rogue VMs, which operate outside standard management processes and do not comply with established security policies. As a countermeasure, MITRE suggested enabling secure boot to verify the integrity of the boot process and prevent unauthorized modifications. The company also shared two PowerShell scripts, Invoke-HiddenVMQuery and VirtualGHOST, to assist in identifying and mitigating potential threats within the VMware environment. "As adversaries continue to evolve their tactics and techniques, it is imperative for organizations to remain vigilant and adaptive in defending against cyber threats," MITRE concluded.

Related News

• Mirai Botnet Exploits Ivanti Connect Secure Vulnerabilities
• China-Linked Cyber Espionage Targets MITRE Network: ROOTROT Webshell Exploited
• MITRE Corporation's Network Breached by State-Backed Hackers Using Ivanti Zero-Days
• Ivanti Patches High-Risk Vulnerabilities in VPN Gateways
• CISA Systems Compromised Through Ivanti Vulnerabilities, Prompting System Shutdown

Latest News

• Google Patches Eighth Actively Exploited Chrome Zero-Day of the Year
• Justice AV Solutions (JAVS) Software Compromised in Supply Chain Attack
• GitLab Patches High-Severity Flaw Allowing Account Takeovers
• CISA Issues Alert over Active Exploitation of Apache Flink Vulnerability
• Sharp Panda Expands Cyber Espionage Reach to African and Caribbean Governments