MITRE has published another blog post describing the recent cyberattack, focusing on how the hackers abused its VMware systems for persistence and detection evasion.
MITRE, a not-for-profit company operating R&D centers on behalf of US government sponsors, revealed one month ago that state-sponsored hackers had exploited zero-day vulnerabilities in an Ivanti product to gain unauthorized access to its Networked Experimentation, Research, and Virtualization Environment (NERVE), an unclassified collaborative network that is used for research, development, and prototyping.
The vulnerabilities exploited in the attack, tracked as CVE-2023-46805 and CVE-2024-21887, came to light on January 10, when cybersecurity firm Volexity warned that they had been exploited by Chinese hackers to compromise Ivanti VPN devices.
MITRE discovered signs of exploitation in April, but its investigation determined that a cyberespionage group linked to China — tracked by Mandiant as UNC5221 — exploited the Ivanti zero-days for initial access to its NERVE environment in late December 2023.
The threat actor deployed a VMware vCenter backdoor named BrickStorm and a web shell named BeeFlush. It also deployed a web shell named WireFire and exfiltrated data using a different web shell, named BushWalk.
Between mid-February and mid-March, the hackers maintained persistence in the NERVE environment and attempted lateral movement, but failed to pivot to other resources, MITRE said.
In a blog post published on Wednesday, MITRE explained that the BrickStorm and the BeeFlush malware abused virtual machines (VMs) through a user account named ‘VPXUSER’ to establish persistence.
The attackers conducted activities within the VMware environment after compromising administrator credentials that gave them privileged access to the NERVE ESXi infrastructure.
The hackers created their own rogue VMs within the VMware environment, then deployed the BeeFlush shell under the vCenter Server’s Tomcat server “to execute a Python-based tunneling tool, facilitating SSH connections between adversary-created VMs and the ESXi hypervisor infrastructure”.
“By deploying rogue VMs, adversaries can evade detection by hiding their activities from centralized management interfaces like vCenter. This allows them to maintain control over compromised systems while minimizing the risk of discovery,” MITRE explained.
MITRE has also shared two scripts that other organizations can use to identify and mitigate potential threats in their VMware environments. One of the scripts, Invoke-HiddenVMQuery, was developed by MITRE, while the second, VirtualGHOST, was created by CrowdStrike.
Other recommendations and resources for detection and mitigation have also been shared by MITRE.
Related: MITRE EMB3D Threat Model Officially Released
Related: Chinese Spies Exploited VMware vCenter Server Vulnerability Since 2021
Related: VMware Patches Vulnerabilities Exploited at Pwn2Own 2024
