Connect with us

Hi, what are you looking for?


Incident Response

VMware Abused in Recent MITRE Hack for Persistence, Evasion

MITRE has shared information on how China-linked hackers abused VMware for persistence and detection evasion in the recent hack.

MITRE hacked

MITRE has published another blog post describing the recent cyberattack, focusing on how the hackers abused its VMware systems for persistence and detection evasion.

MITRE, a not-for-profit company operating R&D centers on behalf of US government sponsors, revealed one month ago that state-sponsored hackers had exploited zero-day vulnerabilities in an Ivanti product to gain unauthorized access to its Networked Experimentation, Research, and Virtualization Environment (NERVE), an unclassified collaborative network that is used for research, development, and prototyping.

The vulnerabilities exploited in the attack, tracked as CVE-2023-46805 and CVE-2024-21887, came to light on January 10, when cybersecurity firm Volexity warned that they had been exploited by Chinese hackers to compromise Ivanti VPN devices. 

MITRE discovered signs of exploitation in April, but its investigation determined that a cyberespionage group linked to China — tracked by Mandiant as UNC5221 — exploited the Ivanti zero-days for initial access to its NERVE environment in late December 2023. 

The threat actor deployed a VMware vCenter backdoor named BrickStorm and a web shell named BeeFlush. It also deployed a web shell named WireFire and exfiltrated data using a different web shell, named BushWalk.

Between mid-February and mid-March, the hackers maintained persistence in the NERVE environment and attempted lateral movement, but failed to pivot to other resources, MITRE said.

In a blog post published on Wednesday, MITRE explained that the BrickStorm and the BeeFlush malware abused virtual machines (VMs) through a user account named ‘VPXUSER’ to establish persistence. 

The attackers conducted activities within the VMware environment after compromising administrator credentials that gave them privileged access to the NERVE ESXi infrastructure. 

Advertisement. Scroll to continue reading.

The hackers created their own rogue VMs within the VMware environment, then deployed the BeeFlush shell under the vCenter Server’s Tomcat server “to execute a Python-based tunneling tool, facilitating SSH connections between adversary-created VMs and the ESXi hypervisor infrastructure”.

“By deploying rogue VMs, adversaries can evade detection by hiding their activities from centralized management interfaces like vCenter. This allows them to maintain control over compromised systems while minimizing the risk of discovery,” MITRE explained.

MITRE has also shared two scripts that other organizations can use to identify and mitigate potential threats in their VMware environments. One of the scripts, Invoke-HiddenVMQuery, was developed by MITRE, while the second, VirtualGHOST, was created by CrowdStrike. 

Other recommendations and resources for detection and mitigation have also been shared by MITRE.

Related: MITRE EMB3D Threat Model Officially Released

Related: Chinese Spies Exploited VMware vCenter Server Vulnerability Since 2021

Related: VMware Patches Vulnerabilities Exploited at Pwn2Own 2024

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.


People on the Move

Jill Passalacqua has been appointed Chief Legal Officer at autonomous security solutions provider

Cisco has appointed Sean Duca as CISO and Practice Leader for the APJC region.

Megan Samford named Chief Security Officer of Schneider Electric's US National Security Agreements & US Federal Business.

More People On The Move

Expert Insights