The MITRE Company has supplied extra particulars into the lately disclosed cyber assault, stating that the primary proof of the intrusion now dates again to December 31, 2023.
The assault, which got here to gentle final month, singled out MITRE’s Networked Experimentation, Analysis, and Virtualization Atmosphere (NERVE) via the exploitation of two Ivanti Join Safe zero-day vulnerabilities tracked as CVE-2023–46805 and CVE-2024–21887, respectively.
“The adversary maneuvered within the research network via VMware infrastructure using a compromised administrator account, then employed a combination of backdoors and web shells to maintain persistence and harvest credentials,” MITRE mentioned.
Whereas the group had beforehand disclosed that the attackers carried out reconnaissance of its networks beginning in January 2024, the most recent technical deep dive places the earliest indicators of compromise in late December 2023, with the adversary dropping a Perl-based net shell known as ROOTROT for preliminary entry.
ROOTROT, per Google-owned Mandiant, is embedded right into a reputable Join Safe .ttc file situated at “/data/runtime/tmp/tt/setcookie.thtml.ttc” and is the handiwork of a China-nexus cyber espionage cluster dubbed UNC5221, which can also be linked to different net shells corresponding to BUSHWALK, CHAINLINE, FRAMESTING, and LIGHTWIRE.
Following the online shell deployment, the menace actor profiled the NERVE atmosphere and established communication with a number of ESXi hosts, finally establishing management over MITRE’s VMware infrastructure and dropping a Golang backdoor known as BRICKSTORM and a beforehand undocumented net shell known as BEEFLUSH.
“These actions established persistent access and allowed the adversary to execute arbitrary commands and communicate with command-and-control servers,” MITRE researcher Lex Crumpton defined. “The adversary utilized techniques such as SSH manipulation and execution of suspicious scripts to maintain control over the compromised systems.”
Additional evaluation has decided that the menace actor additionally deployed one other net shell referred to as WIREFIRE (aka GIFTEDVISITOR) a day after the general public disclosure of the dual flaws on January 11, 2024, to facilitate covert communication and information exfiltration.
Moreover utilizing the BUSHWALK net shell for transmitting information from the NERVE community to command-and-control infrastructure on January 19, 2024, the adversary is alleged to have tried lateral motion and maintained persistence inside NERVE from February to mid-March.
“The adversary executed a ping command for one of MITRE’s corporate domain controllers and attempted to move laterally into MITRE systems but was unsuccessful,” Crumpton mentioned.
