MITRE has shared more details on the recent hack<\/a>, including the new malware involved in the attack and a timeline of the attacker\u2019s activities.<\/p>\n\n\n\n
According to the MITRE Corporation, a nation-state actor breached its systems in January 2024 by chaining two Ivanti Connect Secure zero-day vulnerabilities<\/a> (CVE-2023-46805 and CVE-2024-21887).<\/p>\n\n\n\n
Mitre researchers reported that the indicators of compromise that were observed during the security breach overlap with those Mandiant associated<\/a> with UNC5221<\/a>, which is a China-linked APT group.<\/p>\n\n\n\n
The state-sponsored hackers first gained initial access to NERVE on December 31, then they deployed the\u00a0ROOTROT\u00a0web shell<\/a> on Internet-facing Ivanti appliances.<\/p>\n\n\n\n
“The adversary manipulated VMs and established control over the infrastructure. The adversary used compromised administrative credentials, authenticated from an internal NERVE IP address, indicating lateral movement within the NERVE.” reads the update<\/a> published by Mitre. “They attempted to enable SSH and attempted to destroy one of their own VMs as well as POSTed to \/ui\/list\/export and downloaded a file demonstrating a sophisticated attempt to conceal their presence and maintain persistence within the network.”<\/em><\/p>\n\n\n\n
In the following days, the threat actors deployed additional payloads on the target infrastrcuture, including the WIREFIRE<\/a> (aka GIFTEDVISITOR) web shell, and the BUSHWALK webshell for data exfiltration.<\/p>\n\n\n\n
Follow me on Twitter: @securityaffairs<\/strong><\/a> and Facebook<\/strong><\/a> and Mastodon<\/a><\/p>\n\n\n\n
Pierluigi Paganini<\/strong><\/a><\/p>\n\n\n\n
(<\/strong>SecurityAffairs<\/strong><\/a> \u2013<\/strong> hacking, China)<\/strong><\/p>\n\n\n\n