State-sponsored hackers were recently able to exploit vulnerabilities within MITRE’s Networked Experimentation, Research, and Virtualization Environment (NERVE), utilizing rogue virtual machines (VMs) as a means to avoid detection and establish persistence in a cyberattack. The attack, which has been attributed to a group linked to China known as UNC5221, highlights the increasing sophistication of cyber threats and the challenges that even top cybersecurity organizations like MITRE face in defending against them.
The breach initially began in late December of 2023 when the attackers took advantage of two zero-day vulnerabilities found in Ivanti Connect Secure appliances, specifically identified as CVE-2023-46805 and CVE-2024-21887. By exploiting these vulnerabilities, the hackers were able to bypass multi-factor authentication through session hijacking, ultimately gaining unauthorized access to MITRE’s NERVE environment.
While the initial signs of exploitation were not detected until April of 2024, MITRE and third-party digital forensics teams launched a thorough investigation into the incident once it was discovered. This led to the discovery of the attackers’ sophisticated tactics, which involved utilizing compromised administrator credentials to move laterally within the NERVE environment and target the VMware infrastructure.
Within the NERVE environment, the attackers created rogue VMs using a default service account called ‘VPXUSER,’ allowing them to operate outside of centralized management interfaces like Center. By doing so, the hackers were able to maintain control over compromised systems while minimizing the risk of detection. They deployed a backdoor named BrickStorm and a web shell called BeeFlush within these rogue VMs, with the latter being placed under the vCenter Server’s Tomcat server to execute a Python-based tunneling tool that facilitated SSH connections between the adversary-created VMs and the ESXi hypervisor infrastructure. This setup enabled the attackers to establish persistent communication channels with their command-and-control (C2) servers and administrative subnets within NERVE.
In response to the breach, MITRE took the NERVE environment offline and conducted a thorough forensic analysis. In a detailed blog post, the organization shared insights into the attackers’ tactics, techniques, and procedures (TTPs), stressing the importance of monitoring for unusual SSH activity and manually checking for unregistered VMs using specific command lines. MITRE also provided scripts such as Invoke-HiddenVMQuery and VirtualGHOST to assist other organizations in detecting and mitigating similar threats within their VMware environments.
This incident underscores the evolving nature of cyber threats and highlights the necessity for continuous vigilance and advanced defense mechanisms. MITRE’s commitment to sharing its findings and best practices aims to assist other organizations in strengthening their security measures and preparing for potential future risks. The cyberattack on MITRE serves as an example of the complex methods employed by state-sponsored hackers to infiltrate and persist within high-value targets, demonstrating the importance of robust defense strategies and continuous monitoring to combat advanced persistent threats.