The MITRE Corporation recently revealed that a sophisticated cyberattack targeted its network in December 2023,
with the China-linked threat actor UNC5221 exploiting zero-day vulnerabilities in Ivanti Connect Secure (ICS) to infiltrate MITRE’s Networked Experimentation, Research, and Virtualization Environment (NERVE). By exploiting CVE-2023-46805 and CVE-2024-21887, the adversary bypassed multi-factor authentication (MFA) and gained an initial foothold, allowing them to move laterally across the network. One of the most concerning aspects of the attack was the creation of rogue virtual machines (VMs) within MITRE’s VMware environment, which enabled the attackers to persist undetected. To execute this strategy, the hackers compromised vCenter Server access and deployed web shells like BEEFLUSH and BUSHWALK, as well as a Golang-based backdoor called BRICKSTORM, ensuring they maintained continuous access to the system. These backdoors allowed the attackers to exfiltrate sensitive data and execute arbitrary commands while remaining hidden from standard network security tools. Additionally, the hackers used a default VMware account (VPXUSER) to make unauthorized API calls, further strengthening their foothold within the compromised infrastructure. By leveraging these tactics, UNC5221 effectively avoided centralized management interfaces like vCenter, making it significantly harder for security teams to detect and respond to the breach in a timely manner.
In response to this alarming incident, MITRE has implemented a series of security measures to help organizations identify and mitigate similar cyber threats. One of the most effective countermeasures recommended by MITRE is enabling Secure Boot, a security feature designed to validate the integrity of the boot process and prevent unauthorized modifications. Additionally, MITRE has developed and released two PowerShell scripts, Invoke-HiddenVMQuery and VirtualGHOST, which help security teams detect rogue VMs operating outside of standard security policies. These scripts can be used to uncover unauthorized virtual machines that adversaries might deploy for persistent access. MITRE also emphasized the importance of strict access controls, enhanced monitoring of VMware environments, and regular security audits to detect potential breaches before they escalate. The attack underscores the growing trend of threat actors targeting virtualization infrastructure to maintain stealthy, long-term access to critical systems, making it imperative for organizations to strengthen defenses, monitor API activity, and restrict administrator privileges. As cyber threats evolve, companies must adopt a proactive security approach, ensuring that their virtualized environments are continuously monitored and secured against emerging threats.
