China hackers used ROOTROT Webshell in MITRE’s network breach

May 7, 2024
1 min read



TLDR:

  • China-linked hackers used ROOTROT webshell in MITRE network intrusion
  • Attacker utilized Ivanti Connect Secure zero-day vulnerabilities to gain access to MITRE’s network

China-linked hackers targeted MITRE’s Networked Experimentation, Research, and Virtualization Environment (NERVE) using two Ivanti Connect Secure zero-day vulnerabilities. The attack, which began in late December 2023, involved the deployment of a Perl-based web shell called ROOTROT for initial access. The hackers, identified as UNC5221, also used various other web shells such as BUSHWALK and WIREFIRE for covert communication and data exfiltration.

The threat actor established control over MITRE’s VMware infrastructure and maintained persistence by dropping a Golang backdoor named BRICKSTORM and a web shell called BEEFLUSH. Despite attempts at lateral movement and maintaining access within NERVE, the attackers were unsuccessful in moving into MITRE systems. The intrusion was discovered in January 2024, and further analysis revealed the extent of the attacker’s activities, including reconnaissance, data transmission, and exploitation of vulnerabilities.


Latest from Blog

EU push for unified incident report rules

TLDR: The Federation of European Risk Management Associations (FERMA) is urging the EU to harmonize cyber incident reporting requirements ahead of new legislation. Upcoming legislation such as the NIS2 Directive, DORA, and