May 24, 2024 at 12:51PM
MITRE Corporation disclosed a cyber attack on a not-for-profit company in late December 2023, revealing details of the attack involving rogue virtual machines created within the VMware environment. The attack, attributed to a China-linked threat actor, exploited Ivanti Connect Secure flaws and highlights the need for organizations to remain vigilant against cyber threats.
Key Takeaways from the Meeting Notes:
– The cyber attack targeting the not-for-profit company involved the creation of rogue virtual machines (VMs) within its VMware environment by exploiting zero-day flaws in Ivanti Connect Secure (ICS).
– The motive behind the attack was to avoid detection by obscuring malicious activities from centralized management interfaces and maintaining persistent access while reducing the risk of discovery.
– The China-nexus threat actor, tracked as UNC5221 by Mandiant, breached the Networked Experimentation, Research, and Virtualization Environment (NERVE) by exploiting ICS flaws CVE-2023-46805 and CVE-2024-21887, and utilized various backdoors and web shells to retain access and harvest credentials.
– Countermeasures include enabling secure boot to prevent unauthorized modifications and utilizing PowerShell scripts named Invoke-HiddenVMQuery and VirtualGHOST to help identify and mitigate potential threats within the VMware environment.
– Organizations are advised to remain vigilant and adaptive in defending against evolving cyber threats.
Let me know if you need further information or clarification on any of the points.