Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Nation-State

MITRE Hack: China-Linked Group Breached Systems in December 2023

MITRE has shared more details on the recent hack, including the new malware involved in the attack and a timeline of the attacker’s activities.

MITRE hacked

MITRE has shared more details on the recently disclosed hack, including the new malware involved in the attack, attribution information, and a timeline of the attacker’s activities.

MITRE, a not-for-profit company operating R&D centers on behalf of US government sponsors, revealed on April 19 that hackers had targeted its Networked Experimentation, Research, and Virtualization Environment (NERVE), an unclassified collaborative network used for research, development, and prototyping. 

The hackers gained initial access through the exploitation of Ivanti Connect Secure VPN device zero-day vulnerabilities tracked as CVE-2023-46805 and CVE-2024-21887. 

The zero-days were leveraged by a cyberespionage group linked to China — tracked by Mandiant as UNC5221 — in targeted attacks for weeks before their existence came to light and Ivanti released mitigations. The list of victims included the cybersecurity agency CISA, which said the incident could affect up to 100,000 individuals.

MITRE initially blamed the attack on a state-sponsored threat actor, but did not share further details. In a follow-up post, the organization clarified that the indicators of compromise (IoCs) observed during its investigation into the incident overlap with those attributed by Mandiant to UNC5221. Mandiant describes the group as a “China-nexus espionage threat actor”.

Initially, MITRE said the attack occurred in early January, but it has now revealed that the first evidence of intrusion dates to December 31, 2023. That is when the hackers exploited the Ivanti zero-days for initial access to the NERVE network. 

On January 4, 2024, the hackers started profiling the environment, interacting with VMware vCenter and ESXi hosts.

“Subsequently, they successfully logged into several accounts within the NERVE via RDP, leveraging hijacked credentials to access user bookmarks and file shares to gain insights into the network architecture,” MITRE said.

Advertisement. Scroll to continue reading.

The next day, the adversary started manipulating virtual machines and established control over the compromised infrastructure. 

In the following days, the threat actor deployed some malicious payloads, including a vCenter backdoor named BrickStorm and a previously unknown web shell named BeeFlush by MITRE.  

On January 11, the day after the Ivanti zero-days came to light, the attacker deployed another web shell, named WireFire, and started preparing for data exfiltration. Data exfiltration occurred on January 19 and involved another web shell, named BushWalk. 

MITRE only discovered the intrusion in April. Between mid-February and mid-March, the hackers maintained persistence in the NERVE environment and attempted lateral movement, but failed to pivot to other resources. 

The organization, which is widely known for its ATT&CK knowledge base of adversary tactics and techniques, has made available technical details on each piece of malware involved in the attack, along with additional IoCs.

The Ivanti product vulnerabilities used in the MITRE hack have been widely exploited since their existence became publicly known, being leveraged to compromise hundreds of devices, including ones housed by government, telecoms, defense and tech organizations. Proper patches were only released in late January. 

Related: Ivanti CEO Vows Cybersecurity Makeover After Zero-Day Blitz

Related: Ivanti Vulnerability Exploited to Deliver New ‘DSLog’ Backdoor

Related: Ivanti EPMM Vulnerability Targeted in Attacks as Exploitation of VPN Flaws Increases

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights