Analysis Summary

More information about the previously publicized cyberattack has been provided by the MITRE Corporation, which claims that the intrusion's earliest known evidence now dates to December 31, 2023.

This attack was discovered a month ago and targeted MITRE's Networked Experimentation, Research, and Virtualization Environment (NERVE) by leveraging two zero-day vulnerabilities in Ivanti Connect Secure, which are identified as CVE-2023–46805 and CVE–2024–21887, respectively. The attacker used a compromised administrator account to navigate about the research network utilizing VMware infrastructure. To stay persistent and collect credentials, the attacker then used a mix of web shells and backdoors.

“The adversary deployed the ROOTROT web shell on an external-facing Ivanti appliance, gaining initial access to NERVE, a MITRE prototyping network,” reads the report.

Although the organization had previously revealed that the attackers began conducting network reconnaissance in January 2024, the most recent technical analysis places the first indications of compromise in late December 2023, with the adversary providing initial access through a Perl-based web shell known as ROOTROT. ROOTROT is the product of a China-nexus cyber espionage cluster called UNC5221, which is also connected to other web shells including BUSHWALK, CHAINLINE, FRAMESTING, and LIGHTWIRE. It is embedded into a genuine Connect Secure.ttc file found at "/data/runtime/tmp/tt/setcookie.thtml.ttc".

After deploying the web shell, the threat actor explored the NERVE environment and communicated with several ESXi hosts. Eventually, they took control of MITRE's VMware infrastructure and dropped a web shell known as BEEFLUSH, which was previously undisclosed, and a Golang backdoor known as BRICKSTORM. By taking these steps, the adversary gained persistent access, the ability to communicate with command-and-control servers, and the ability to carry out arbitrary commands. The adversary employed strategies such as manipulating SSH and running dubious scripts to sustain control over the infected systems.

Subsequent investigation has shown that, to enable covert communication and data exfiltration, the threat actor also launched a second web shell, called WIREFIRE (also known as GIFTEDVISITOR), one day after the twin vulnerabilities were made public on January 11, 2024. In addition to transferring data from the NERVE network to command-and-control infrastructure on January 19, 2024, through the BUSHWALK web shell, the adversary is reported to have tried lateral movement and continued to be persistent within NERVE between February and mid-March.

Impact

• Cyber Espionage
• Command Execution
• Data Exfiltration
• Credential Theft

Remediation

• Implement multi-factor authentication to add an extra layer of security to login processes.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.