Hackers Exploit Ivanti Flaws to Create Rogue VMs in MITRE Network
MITRE Corporation reported a cyberattack on their nonprofit organization in late December 2023. The attackers exploited zero-day vulnerabilities in Ivanti Connect Secure (ICS) to create counterfeit VMware virtual machines.
The perpetrators accessed the vCenter server and created their virtual machines within the VMware environment. They embedded a JSP web shell (BEEFLUSH) on the vCenter Server Tomcat to deploy a Python-based tunneling tool, allowing them to establish SSH connections between the created virtual machines and the ESXi hypervisor infrastructure.
The attack aimed to conceal their activities from the centralized management interface (vCenter) and maintain persistent access, thereby minimizing the risk of detection. Details of the attack emerged in April, when MITRE determined that the Chinese group UNC5221 was behind the breach, infiltrating the NERVE research environment using two ICS vulnerabilities (CVE-2023-46805 and CVE-2024-21887).
After bypassing multi-factor authentication and gaining initial access, the attackers advanced through the network, using a compromised administrator account to control the VMware infrastructure. The hackers deployed multiple backdoors and web shells to maintain access and steal credentials. Among these were a Go-based backdoor codenamed BRICKSTORM and the web shells BEEFLUSH and BUSHWALK, which enabled the execution of arbitrary commands and communication with command servers.
The attackers also utilized a standard VMware account, VPXUSER, to perform seven API requests, enumerating the list of connected and disconnected disks.
Experts explain that counterfeit virtual machines operate outside standard management processes and do not adhere to established security policies, making them difficult to detect and challenging to manage through the graphical interface. Specialized tools or methods are required to identify and mitigate risks associated with such machines.
One effective countermeasure against covert attacker attempts is enabling secure boot, which prevents unauthorized modifications by verifying the integrity of the boot process. The company also provided two PowerShell scripts [1 and 2] to detect and address potential threats in the VMware environment.
