TLDR:
- China-linked hackers used ROOTROT webshell in MITRE network intrusion
- Attacker utilized Ivanti Connect Secure zero-day vulnerabilities to gain access to MITRE’s network
China-linked hackers targeted MITRE’s Networked Experimentation, Research, and Virtualization Environment (NERVE) using two Ivanti Connect Secure zero-day vulnerabilities. The attack, which began in late December 2023, involved the deployment of a Perl-based web shell called ROOTROT for initial access. The hackers, identified as UNC5221, also used various other web shells such as BUSHWALK and WIREFIRE for covert communication and data exfiltration.
The threat actor established control over MITRE’s VMware infrastructure and maintained persistence by dropping a Golang backdoor named BRICKSTORM and a web shell called BEEFLUSH. Despite attempts at lateral movement and maintaining access within NERVE, the attackers were unsuccessful in moving into MITRE systems. The intrusion was discovered in January 2024, and further analysis revealed the extent of the attacker’s activities, including reconnaissance, data transmission, and exploitation of vulnerabilities.