May 7, 2024 at 09:57AM
The recent cyber attack on MITRE Corporation, disclosed last month, exploited two zero-day vulnerabilities to target its NERVE research network. The attackers utilized various web shells and backdoors to gain access and maintain control, including deploying a Golang backdoor and conducting data exfiltration. The attack, attributed to a China-nexus cyber espionage cluster, exhibited persistent and sophisticated tactics.
Key takeaways from the meeting notes on Newsroom Vulnerability/Network Security on May 07, 2024:
– The cyber attack on MITRE’s Networked Experimentation, Research, and Virtualization Environment (NERVE) utilized zero-day vulnerabilities and a combination of backdoors and web shells to gain access and maintain persistence within the research network.
– The attack began in late December 2023, with the adversary dropping a Perl-based web shell called ROOTROT for initial access. The attack was attributed to a China-nexus cyber espionage cluster dubbed UNC5221.
– MITRE researcher Lex Crumpton detailed the adversary’s actions, including establishing control over VMware infrastructure, deploying a Golang backdoor called BRICKSTORM, and maintaining control through techniques such as SSH manipulation and execution of suspicious scripts.
– Further analysis revealed that the threat actor deployed multiple web shells, including WIREFIRE, BUSHWALK, CHAINLINE, FRAMESTING, and LIGHTWIRE, and attempted lateral movement within NERVE from February to mid-March.
These takeaways provide insight into the timeline, tactics, and techniques employed by the threat actor during the cyber attack on MITRE’s NERVE environment.