The recent cyber incident involving the MITRE Corporation has shed light on the intricacies of the attack, with the earliest signs of compromise identified as far back as December 31, 2023. This breach, which came to public attention in April 2024, specifically targeted MITRE’s Networked Experimentation, Research, and Virtualization Environment (NERVE), exploiting two unpatched vulnerabilities in Ivanti Connect Secure, designated CVE-2023-46805 and CVE-2024-21887.
According to MITRE, the attackers gained access to the research network through VMware infrastructure using a compromised administrator account. They leveraged a combination of backdoors and web shells to maintain their foothold and gather sensitive credentials. A detailed technical analysis reveals that the adversaries utilized techniques aligned with the MITRE ATT&CK Matrix, particularly initial access through exploitation of software vulnerabilities and persistence via web shells.
While MITRE had previously noted that attackers initiated reconnaissance on their systems from January 2024, it is now clear that the infiltration began even earlier. The intruders deployed a Perl-based web shell named ROOTROT, which was embedded in a legitimate Connect Secure file, indicating a sophisticated approach. This tool is attributed to a cyber espionage group with ties to China, identified as UNC5221, which has been associated with other malicious software like BUSHWALK and FRAMESTING.
Once access was established via the ROOTROT web shell, the threat actors mapped out the NERVE infrastructure and communicated with several ESXi hosts, ultimately gaining control over MITRE’s VMware environment. They subsequently introduced a Golang backdoor known as BRICKSTORM, along with a new web shell called BEEFLUSH, facilitating persistent access. The attackers employed tactics such as SSH manipulation and the execution of suspicious scripts to retain their control.
Further investigations revealed the deployment of another web shell, WIREFIRE (or GIFTEDVISITOR), shortly after the public announcement of the zero-day vulnerabilities on January 11, 2024. This shell served to enhance covert communication and aid in data exfiltration efforts, demonstrating an organized and ongoing operation aimed at extracting sensitive information.
Throughout the attack, the adversary relied on the BUSHWALK web shell to transmit data from the NERVE network to their command-and-control infrastructure. According to MITRE researchers, attempts at lateral movement within the network were also made between February and mid-March, although the attackers were ultimately unsuccessful in breaching further into MITRE’s systems.
This incident underscores the critical importance of timely software updates and the need for robust cybersecurity measures. As organizations increasingly depend on interconnected networks, understanding and implementing defenses against the tactics outlined in the MITRE ATT&CK framework will be essential for mitigating risks related to similar infiltrations.
