MITRE Corporation Cyber Attack: Hackers Utilize Rogue VMs to Evade Detection

May 24, 2024

MITRE Corporation, a not-for-profit company, recently suffered a cyber attack in late December 2023, where the attackers exploited zero-day vulnerabilities in Ivanti Connect Secure (ICS). The hackers created rogue virtual machines (VMs) within the company's VMware environment, a move aimed at avoiding detection and maintaining persistent access. According to MITRE researchers Lex Crumpton and Charles Clancy, the adversary leveraged compromised vCenter Server access to create their rogue VMs. "The adversary created their own rogue VMs within the VMware environment, leveraging compromised vCenter Server access," they said. The hackers deployed a JSP web shell (BEEFLUSH) under the vCenter Server's Tomcat server to execute a Python-based tunneling tool, which facilitated SSH connections between the rogue VMs and the ESXi hypervisor infrastructure.

The attack was first unveiled last month when MITRE disclosed that a China-linked threat actor, known as UNC5221, had breached its Networked Experimentation, Research, and Virtualization Environment (NERVE). The breach was accomplished by exploiting two ICS flaws, CVE-2023-46805 and CVE-2024-21887. After bypassing multi-factor authentication and securing an initial foothold, the threat actor moved laterally across the network, taking control of the VMware infrastructure using a compromised administrator account. This allowed them to deploy various backdoors and web shells to retain access and harvest credentials. These included a Golang-based backdoor named BRICKSTORM present within the rogue VMs and two web shells, BEEFLUSH and BUSHWALK, which enabled UNC5221 to execute arbitrary commands and communicate with command-and-control servers.

MITRE also revealed that the adversary used a default VMware account, VPXUSER, to make API calls that listed mounted and unmounted drives. The organization emphasized the challenge of detecting and managing rogue VMs, which operate outside standard management processes and do not comply with established security policies. As a countermeasure, MITRE suggested enabling secure boot to verify the integrity of the boot process and prevent unauthorized modifications. The company also shared two PowerShell scripts, Invoke-HiddenVMQuery and VirtualGHOST, to assist in identifying and mitigating potential threats within the VMware environment. "As adversaries continue to evolve their tactics and techniques, it is imperative for organizations to remain vigilant and adaptive in defending against cyber threats," MITRE concluded.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.