TLDR:
- MITRE Corporation revealed a cyber attack involving rogue VMs created by hackers in late December 2023.
- Hackers exploited zero-day flaws in Ivanti Connect Secure to evade detection and maintain persistent access.
The cyber attack targeting the MITRE Corporation in late December 2023 involved hackers creating rogue virtual machines (VMs) within its VMware environment to evade detection. The hackers exploited zero-day flaws in Ivanti Connect Secure (ICS) and gained access to the NERVE network by bypassing multi-factor authentication. They then leveraged compromised administrator accounts to take control of the VMware infrastructure and deploy backdoors and web shells to retain access and harvest credentials.
The motive behind creating rogue VMs was to obfuscate their malicious activities from centralized management interfaces like vCenter and reduce the risk of detection. MITRE researchers Lex Crumpton and Charles Clancy revealed that the attackers deployed a JSP web shell (BEEFLUSH) under the vCenter Server’s Tomcat server to execute a Python-based tunneling tool, facilitating SSH connections between the rogue VMs and the ESXi hypervisor infrastructure.
One effective countermeasure identified by MITRE is enabling secure boot to prevent unauthorized modifications by verifying the integrity of the boot process. The company is also providing PowerShell scripts to help identify and mitigate potential threats within VMware environments. With adversaries evolving their tactics, organizations are urged to remain vigilant and adaptive in defending against cyber threats.