In late December 2023, MITRE Corporation faced a sophisticated cyber attack leveraging zero-day vulnerabilities within Ivanti Connect Secure (ICS). This post delves into the attack’s methodology, the threat actor implicated, and the mitigation strategies proposed by MITRE. The attack methodology involved exploiting the identified vulnerabilities to infiltrate MITRE’s network, bypassing its defenses. The threat actor, identified as UNC5221 by Mandiant, executed the attack, highlighting the advanced nature of the threat. MITRE suggests mitigation strategies, including patching vulnerable systems promptly, enhancing access controls, and implementing robust monitoring to detect and respond to such threats effectively.

Attack Overview

MITRE revealed that the attackers, identified by Mandiant as the China-nexus threat actor UNC5221, exploited two critical vulnerabilities in Ivanti Connect Secure (ICS), specifically CVE-2023-46805 and CVE-2024-21887. These vulnerabilities enabled the adversaries to bypass multi-factor authentication, thereby gaining an initial foothold in MITRE’s network. Once inside, they leveraged this access to move laterally across the network, exploiting compromised administrator accounts to escalate their privileges. The attackers then targeted the VMware infrastructure, deploying various backdoors and web shells, including BEEFLUSH, BRICKSTORM, and BUSHWALK. These tools allowed them to maintain persistent access, execute arbitrary commands, and communicate with command-and-control servers, effectively concealing their activities. This sophisticated attack underscores the critical importance of timely patching, robust access controls, and comprehensive monitoring to detect and mitigate such advanced threats.

Compromise and Lateral Movement

Upon gaining access, the attackers leveraged a compromised administrator account to control the VMware infrastructure. They deployed various backdoors and web shells, including:

• BEEFLUSH: BEEFLUSH is a JSP web shell deployed under the vCenter Server’s Tomcat server. It allows attackers to execute a Python-based tunneling tool, facilitating SSH connections between rogue VMs and the ESXi hypervisor infrastructure.
• BRICKSTORM: BRICKSTORM is a Golang-based backdoor installed within the rogue VMs. This backdoor enables persistent access and control, helping attackers maintain a foothold in the compromised environment.
• BUSHWALK: BUSHWALK is another web shell that permits arbitrary command execution. It also facilitates communication with command-and-control servers, allowing attackers to issue commands and receive data remotely.

Rogue Virtual Machines

The attackers infiltrated MITRE’s VMware environment by exploiting compromised vCenter Server access to create rogue virtual machines (VMs). They deployed BEEFLUSH, a JSP web shell, on the vCenter Server’s Tomcat server. This allowed them to execute a Python-based tunneling tool, which facilitated SSH connections between the rogue VMs and the ESXi hypervisor infrastructure. This technique enabled the attackers to bypass detection mechanisms and maintain persistent access while minimizing the risk of discovery. By leveraging compromised access and sophisticated tools, the adversaries effectively concealed their malicious activities from standard management interfaces, underscoring the necessity for advanced monitoring and security measures to detect and mitigate such threats in virtualized environments.

Detection Evasion Techniques

The rogue VMs operated outside standard management processes and did not adhere to established security policies, making them difficult to detect through the VMware GUI alone. The adversary used a default VMware account, VPXUSER, to make API calls that enumerated a list of mounted and unmounted drives, further obscuring their activities. This method allowed the attackers to maintain persistent access and avoid detection by centralized management interfaces like vCenter. As a result, their malicious activities went unnoticed, highlighting the need for specialized tools and techniques to identify and mitigate risks associated with rogue VMs effectively. By operating outside the standard management and security protocols, these rogue VMs posed a significant challenge to traditional detection methods, emphasizing the importance of robust security practices and regular audits in virtualized environments.

Countermeasures and Mitigation Strategies

MITRE recommended several countermeasures to detect and mitigate the risks associated with such advanced threats:

• Secure Boot: Enabling secure boot can prevent unauthorized modifications by verifying the integrity of the boot process.
• PowerShell Scripts: MITRE developed and made available two PowerShell scripts, Invoke-HiddenVMQuery and VirtualGHOST, to help identify and mitigate potential threats within the VMware environment.

Remediation Steps

1. Patch Vulnerabilities: Immediately apply the latest security patches for Ivanti Connect Secure (ICS) and any other software identified as vulnerable (CVE-2023-46805 and CVE-2024-21887). Regularly update all systems to mitigate exposure to known exploits.
2. Enhance Access Controls: Strengthen access controls by implementing strict policies for administrator accounts. Ensure the use of strong, unique passwords and enforce multi-factor authentication (MFA) for all privileged accounts.
3. Monitor for Rogue VMs: Utilize specialized tools and scripts such as MITRE’s Invoke-HiddenVMQuery and VirtualGHOST to scan for and identify any unauthorized or rogue VMs within your VMware environment. Regularly audit and monitor virtual infrastructure for anomalies.
4. Secure vCenter Server: Ensure that vCenter Server is properly secured. Limit access to vCenter to only those who absolutely need it, and monitor access logs for any unusual activity. Consider segmenting vCenter from the rest of the network to minimize the impact of a potential breach.
5. Enable Secure Boot: Enable secure boot on all relevant systems to ensure that the boot process is verified and that only trusted software is allowed to run. This can prevent unauthorized modifications and the execution of malicious code during startup.
6. Conduct Regular Security Audits: Perform regular security audits and penetration testing on your network and infrastructure. This can help identify vulnerabilities and weaknesses before they can be exploited by adversaries.
7. Implement Network Segmentation: Segment your network to limit the movement of attackers within your environment. By isolating critical systems and sensitive data, you can contain breaches and minimize the potential damage from an attack.
8. Educate and Train Staff: Provide ongoing cybersecurity training and awareness programs for all employees. Educate staff on recognizing phishing attempts, social engineering tactics, and the importance of following security protocols. Empowering employees with knowledge can be a crucial line of defense against cyber threats.