The MITRE Corporation has provided further insights into a recent cyber attack, revealing that the initial signs of intrusion date back to December 31, 2023.
The attack, disclosed last month, targeted MITRE’s Networked Experimentation, Research, and Virtualization Environment (NERVE) by exploiting two zero-day vulnerabilities in Ivanti Connect Secure, identified as CVE-2023–46805 and CVE-2024–21887.
According to MITRE, the adversaries infiltrated the research network using a compromised administrator account within the VMware infrastructure. They utilized backdoors and web shells to maintain persistence and gather credentials.
While MITRE initially reported reconnaissance activities starting in January 2024, the latest investigation unveils evidence of compromise as early as December 2023. The attackers deployed a Perl-based web shell named ROOTROT for initial access, concealed within a legitimate Connect Secure .ttc file.
ROOTROT, attributed to the China-based cyber espionage group UNC5221, is associated with other web shells like BUSHWALK, CHAINLINE, FRAMESTING, and LIGHTWIRE.
Subsequently, the threat actors profiled the NERVE environment, communicated with ESXi hosts, and seized control of MITRE’s VMware infrastructure. They introduced a Golang backdoor called BRICKSTORM and a newly discovered web shell named BEEFLUSH, enabling them to execute arbitrary commands and communicate with command-and-control servers.
MITRE’s researcher, Lex Crumpton, explained that the adversaries utilized techniques such as SSH manipulation and suspicious script execution to maintain control over compromised systems.
Further investigation revealed the deployment of another web shell, WIREFIRE (also known as GIFTEDVISITOR), for covert communication and data exfiltration following the public disclosure of the vulnerabilities on January 11, 2024.
On January 19, 2024, the adversary employed the BUSHWALK web shell to transmit data from the NERVE network to their command-and-control infrastructure. Attempts at lateral movement and persistence within NERVE persisted from February to mid-March, including an unsuccessful lateral movement attempt into MITRE systems.
This incident underscores the sophisticated tactics employed by threat actors and emphasizes the critical importance of robust cybersecurity measures to mitigate such attacks.
