Hackers Created Rogue VMs to Evade Detection in Recent MITRE Cyber Attack

Hackers Created Rogue VMs to Evade Detection in Recent MITRE Cyber Attack

May 24, 2024 at 12:51PM

MITRE Corporation disclosed a cyber attack on a not-for-profit company in late December 2023, revealing details of the attack involving rogue virtual machines created within the VMware environment. The attack, attributed to a China-linked threat actor, exploited Ivanti Connect Secure flaws and highlights the need for organizations to remain vigilant against cyber threats.

Key Takeaways from the Meeting Notes:
– The cyber attack targeting the not-for-profit company involved the creation of rogue virtual machines (VMs) within its VMware environment by exploiting zero-day flaws in Ivanti Connect Secure (ICS).
– The motive behind the attack was to avoid detection by obscuring malicious activities from centralized management interfaces and maintaining persistent access while reducing the risk of discovery.
– The China-nexus threat actor, tracked as UNC5221 by Mandiant, breached the Networked Experimentation, Research, and Virtualization Environment (NERVE) by exploiting ICS flaws CVE-2023-46805 and CVE-2024-21887, and utilized various backdoors and web shells to retain access and harvest credentials.
– Countermeasures include enabling secure boot to prevent unauthorized modifications and utilizing PowerShell scripts named Invoke-HiddenVMQuery and VirtualGHOST to help identify and mitigate potential threats within the VMware environment.
– Organizations are advised to remain vigilant and adaptive in defending against evolving cyber threats.

Let me know if you need further information or clarification on any of the points.

Full Article