In a shocking cyberattack disclosed by The MITRE Corporation, a China-linked threat actor, UNC5221, exploited zero-day flaws in Ivanti Connect Secure (ICS) to infiltrate MITRE’s Networked Experimentation, Research, and Virtualization Environment (NERVE) in late December 2023.
The attackers bypassed multi-factor authentication, gained an initial foothold, and used compromised administrator accounts to take over the VMware infrastructure. They created rogue virtual machines (VMs) within MITRE’s VMware environment, leveraging compromised vCenter Server access. By deploying a JSP web shell (BEEFLUSH) under the vCenter Server’s Tomcat server, they executed a Python-based tunneling tool for SSH connections between the rogue VMs and the ESXi hypervisor infrastructure. This sophisticated method allowed them to avoid detection by central management interfaces like vCenter, ensuring persistent access.
Key tools included a Golang-based backdoor named BRICKSTORM and two web shells, BEEFLUSH and BUSHWALK, used to execute commands and communicate with command-and-control servers. The attackers also exploited a default VMware account, VPXUSER, to make API calls and enumerate mounted drives, further evading detection.
MITRE emphasized the difficulty in detecting rogue VMs, which operate outside standard management processes. To counter such threats, they recommend enabling the secure boot to prevent unauthorized modifications and using two newly released PowerShell scripts, Invoke-HiddenVMQuery and VirtualGHOST, to identify and mitigate threats within VMware environments.
MITRE stated, “As adversaries continue to evolve their tactics and techniques, it is imperative for organizations to remain vigilant and adaptive in defending against cyber threats.”
