May 7, 2024 at 05:56PM
The MITRE Corporation was targeted by China-linked hackers who used various backdoors and web shells. The attackers gained access to NERVE, MITRE’s research network, and deployed five unique payloads over several months. MITRE emphasized the importance of secure design, zero trust, and continuous authentication in light of the attackās aftermath.
From the meeting notes, it is clear that the MITRE Corporation was compromised by China-linked hackers who used a range of backdoors and web shells to gain unauthorized access to various parts of the organization’s network. The attackers exploited zero-day vulnerabilities in Ivanti Connect Secure and gained access to MITRE’s NERVE environment, a research and development network. The attackers deployed several unique payloads, including the “Rootrot” web shell, “Brickstorm” backdoor for VMWare vCenter servers, “Wirefire” web shell, “Bushwalk” web shell, and the previously undocumented “Beeflush” web shell.
It is notable that the attackers used these tools to enable reconnaissance, lateral movement, command and control, and manipulation of file systems within MITRE’s network. The incident also underscores the ongoing battle between threat actors and defenders in the cybersecurity space, emphasizing the need for continued vigilance, improvement, and adaptation in cybersecurity measures, even among leading organizations like MITRE.
The meeting notes conclude by highlighting the importance of secure by design and zero trust principles, continuous authentication policies, and software bills of material (SBOMs) in mitigating cyber threats. It is emphasized that the susceptibility to cyberattacks does not undermine the credibility or value of the ATT&CK framework, as cybersecurity involves constant evolving threats and organizations can fall victim to cyberattacks, especially when zero-day vulnerabilities are involved.