May 23, 2024 at 10:17AM
MITRE detailed a recent cyberattack where state-sponsored hackers exploited zero-day vulnerabilities to access its NERVE environment. The attackers abused VMware systems for persistence and detection evasion, deploying backdoors and web shells. MITRE identified the threat actor and shared mitigation scripts for other organizations to safeguard their VMware environments.
Key takeaways from the meeting notes about the cyberattack on MITRE’s VMware systems:
– MITRE revealed that state-sponsored Chinese hackers exploited zero-day vulnerabilities in an Ivanti product to gain unauthorized access to its NERVE environment.
– The vulnerabilities exploited were tracked as CVE-2023-46805 and CVE-2024-21887, and were initially brought to light by cybersecurity firm Volexity.
– MITRE’s investigation determined that the cyberespionage group linked to China, tracked as UNC5221 by Mandiant, exploited the zero-days for initial access to the NERVE environment in late December 2023.
– The hackers maintained persistence using a VMware vCenter backdoor named BrickStorm and a web shell named BeeFlush. They also deployed other web shells named WireFire and BushWalk for exfiltrating data.
– MITRE explained that the attackers abused VMs through a user account named ‘VPXUSER’ to establish persistence and evade detection within the VMware environment.
– MITRE has shared scripts such as Invoke-HiddenVMQuery and VirtualGHOST developed by MITRE and CrowdStrike, respectively, for identifying and mitigating potential threats in VMware environments.
– Additionally, MITRE has provided other recommendations and resources for detection and mitigation related to the cyberattack.