The MITRE Company has revealed that the cyber assault concentrating on the not-for-profit firm in direction of late December 2023 by exploiting zero-day flaws in Ivanti Join Safe (ICS) concerned the actor creating rogue digital machines (VMs) inside its VMware setting.
“The adversary created their own rogue VMs within the VMware environment, leveraging compromised vCenter Server access,” MITRE researchers Lex Crumpton and Charles Clancy mentioned.
“They wrote and deployed a JSP web shell (BEEFLUSH) under the vCenter Server’s Tomcat server to execute a Python-based tunneling tool, facilitating SSH connections between adversary-created VMs and the ESXi hypervisor infrastructure.”
The motive behind such a transfer is to sidestep detection by obscuring their malicious actions from centralized administration interfaces like vCenter and keep persistent entry whereas decreasing the danger of being found.
Particulars of the assault emerged final month when MITRE revealed that the China-nexus menace actor — tracked by Google-owned Mandiant underneath the title UNC5221 — breached its Networked Experimentation, Analysis, and Virtualization Surroundings (NERVE) by exploiting two ICS flaws CVE-2023-46805 and CVE-2024-21887.
Upon bypassing multi-factor authentication and gaining an preliminary foothold, the adversary moved laterally throughout the community and leveraged a compromised administrator account to take management of the VMware infrastructure to deploy numerous backdoors and net shells to retain entry and harvest credentials.
This consisted of a Golang-based backdoor codenamed BRICKSTORM that had been current inside the rogue VMs and two net shells known as BEEFLUSH and BUSHWALK, permitting UNC5221 to execute arbitrary instructions and talk with command-and-control servers.
“The adversary also used a default VMware account, VPXUSER, to make seven API calls that enumerated a list of mounted and unmounted drives,” MITRE mentioned.
“Rogue VMs operate outside the standard management processes and do not adhere to established security policies, making them difficult to detect and manage through the GUI alone. Instead, one needs special tools or techniques to identify and mitigate the risks associated with rogue VMs effectively.”
One efficient countermeasure in opposition to menace actors’ stealthy efforts to bypass detection and keep entry is to allow safe boot, which prevents unauthorized modifications by verifying the integrity of the boot course of.
The corporate mentioned it is also making accessible two PowerShell scripts named Invoke-HiddenVMQuery and VirtualGHOST to assist establish and mitigate potential threats inside the VMware setting.
“As adversaries continue to evolve their tactics and techniques, it is imperative for organizations to remain vigilant and adaptive in defending against cyber threats,” MITRE mentioned.
