The MITRE Corporation has provided a new update about the December 2023 attack<\/a>. In April 2024, MITRE disclosed a security breach in one of its research and prototyping networks. The security team at the organization promptly launched an investigation, logged out the threat actor, and engaged third-party forensics Incident Response teams to conduct independent analysis in collaboration with internal experts.<\/p>\n\n\n\n
According to the MITRE Corporation, China-linked nation-state actor UNC5221<\/strong><\/a> breached its systems in January 2024 by chaining two\u00a0Ivanti Connect Secure zero-day vulnerabilities<\/a>.
“The adversary created their own rogue VMs within the VMware environment, leveraging compromised vCenter Server access. They wrote and deployed a JSP web shell (BEEFLUSH<\/strong>) under the vCenter Server\u2019s Tomcat server to execute a Python-based tunneling tool, facilitating SSH connections between adversary-created VMs and the ESXi hypervisor infrastructure.” reads the latest update<\/strong><\/a>. “By deploying rogue VMs, adversaries can evade detection by hiding their activities from centralized management interfaces like vCenter. This allows them to maintain control over compromised systems while minimizing the risk of discovery.”<\/em><\/p>\n\n\n\n
In the following days, the threat actors deployed additional payloads on the target infrastrcuture, including the WIREFIRE<\/a>\u00a0(aka\u00a0GIFTEDVISITOR)\u00a0web shell, and the BUSHWALK webshell for data exfiltration.
MITRE shared two scripts, Invoke-HiddenVMQuery<\/a>\u00a0and\u00a0VirtualGHOST<\/a>, that allow admins to identify and mitigate potential threats within the VMware environment. The first script, developed by MITRE,\u00a0Invoke-HiddenVMQuery<\/a>\u00a0is written in PowerShell and serves to detect malicious activities. It scans for anomalous invocations of the\u00a0\/bin\/vmx<\/code>\u00a0binary within\u00a0
rc.local.d<\/code>\u00a0scripts.
Pierluigi Paganini<\/strong><\/a><\/p>\n\n\n\n
Follow me on Twitter: @securityaffairs<\/strong><\/a> and Facebook<\/strong><\/a> and Mastodon<\/a><\/p>\n\n\n\n
(<\/strong>SecurityAffairs<\/strong><\/a>\u00a0\u2013<\/strong>\u00a0hacking, China)<\/strong><\/p>\n\n\n\n