Cyber Attack on MITRE Corporation: Exploit of Zero-Day Vulnerabilities and Rogue Virtual Machines
In late December 2023, the MITRE Corporation became the target of a sophisticated cyber attack that leveraged zero-day vulnerabilities in Ivanti Connect Secure (ICS). The attackers, identified as a threat group with ties to China, were able to gain unauthorized access to MITRE’s VMware environment, where they created rogue virtual machines (VMs). This breach, detailed in a recent report by MITRE researchers, reveals the intricacies and potential implications of modern cyber threats.
According to MITRE’s findings, the adversary exploited compromised access to the vCenter Server, a central component of VMware management. This access allowed the attackers to establish their own malicious VMs, which were integrated into the existing infrastructure. As articulated by MITRE researchers Lex Crumpton and Charles Clancy, one of the key strategies employed by the attackers was the deployment of a JSP web shell, dubbed BEEFLUSH, on the vCenter Server’s Tomcat server. This web shell enabled the execution of a Python-based tunneling tool, facilitating covert SSH communications between the adversarial VMs and the underlying ESXi hypervisor.
The attackers’ ultimate goal appears to have been to obfuscate their activities, effectively evading centralized monitoring systems and maintaining a persistent foothold within MITRE’s network. This highlights a crucial aspect of modern infiltration tactics, where adversaries utilize deception to operate beneath the radar of conventional security measures. The creation of rogue VMs is particularly concerning, as these entities circumvent standard management protocols and established security frameworks, complicating detection and response efforts.
Recent revelations have confirmed that the breach was executed using two specific vulnerabilities within ICS, cataloged as CVE-2023-46805 and CVE-2024-21887. After bypassing multi-factor authentication and achieving initial access to the network, the attackers leveraged a compromised administrator account to navigate laterally through the environment. This lateral movement enabled the deployment of various backdoors and web shells, including a Golang-based backdoor called BRICKSTORM, which was embedded within the rogue VMs, thus allowing continued command over the compromised systems.
Furthermore, the attackers utilized a default VMware account known as VPXUSER to perform numerous API calls, revealing a list of both mounted and unmounted drives. This tactic underscores the concerning ease with which adversaries can exploit inherent system weaknesses, emphasizing the need for robust credential management and monitoring practices.
In combating such threats, MITRE emphasizes the importance of implementing secure boot mechanisms as a fundamental countermeasure. This technology ensures the integrity of the boot process, preventing unauthorized modifications that could lead to a successful infiltration. In addition, MITRE has provided two PowerShell scripts, Invoke-HiddenVMQuery and VirtualGHOST, designed to assist organizations in detecting rogue VMs and mitigating potential vulnerabilities within their VMware environments.
As cyber adversaries continue to evolve their strategies and techniques, businesses must remain vigilant and responsive to emerging threats. The MITRE attack is a stark reminder of the persistent risk that cyber actors pose and the ongoing necessity for organizations to fortify their defenses. By referencing the MITRE ATT&CK framework, businesses can gain insights into the tactics such as initial access, persistence, and privilege escalation that may have been employed by the attackers. Remaining proactive and informed is critical in the face of an ever-changing cybersecurity landscape.
