MITRE recently provided further insight into the recent cyber intrusion, shedding light on the new malicious software employed and a timeline detailing the attacker's actions.
In April 2024, MITRE announced a breach in one of its research and prototyping networks. Following the discovery, MITRE's security team swiftly initiated an investigation, ejected the threat actor, and enlisted third-party forensics Incident Response teams for independent analysis alongside internal experts. It was revealed that a nation-state actor had infiltrated MITRE's systems in January 2024 by exploiting two Ivanti Connect Secure zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887).
The intrusion was detected when MITRE noticed suspicious activity from a foreign nation-state threat actor targeting its Networked Experimentation, Research, and Virtualization Environment (NERVE), which is utilized for research and prototyping purposes. MITRE promptly took NERVE offline and commenced mitigation procedures. Although investigations are ongoing to ascertain the extent of compromised information, MITRE has informed relevant authorities and affected parties while endeavoring to restore alternative collaboration platforms.
Despite MITRE's adherence to industry best practices, vendor recommendations, and governmental directives to bolster its Ivanti system, oversight led to unauthorized access into its VMware infrastructure. However, MITRE emphasized that neither its core enterprise network nor its partners' systems were impacted by the breach.
MITRE researchers identified indicators of compromise associated with UNC5221, a China-linked APT group, coinciding with the security breach. The hackers gained initial access to NERVE on December 31, deploying the ROOTROT web shell on Internet-facing Ivanti appliances.
On January 4, 2024, the threat actors conducted reconnaissance within the NERVE environment, leveraging compromised Ivanti appliances to access vCenter and communicate with multiple ESXi hosts. Subsequently, the attackers utilized hijacked credentials to infiltrate accounts via RDP, accessing user bookmarks and file shares to probe the network and manipulate VMs, compromising the infrastructure.
Further malicious activities ensued, including deploying the BRICKSTORM backdoor and the BEEFLUSH web shell on January 7, 2024, facilitating persistent access and arbitrary command execution. The hackers maintained control through SSH manipulation and script execution, exploiting default VMware accounts and establishing communication with designated C2 domains.
Additional payloads, such as the WIREFIRE (aka GIFTEDVISITOR) web shell and the BUSHWALK web shell for data exfiltration, were deployed on the target infrastructure. Despite attempts at lateral movement between mid-February and mid-March, the threat actors failed to compromise other resources beyond NERVE.
MITRE concluded its update with malware analysis and Indicators of Compromise for the involved payloads, highlighting the adversary's persistent attempts to infiltrate and maintain control within the network.
