China-Linked Hackers Target MITRE with ROOTROT Web Shell
Researchers at the MITRE Corporation have unveiled disturbing details of a cyberattack attributed to a Chinese state-sponsored hacking group. The attack, first detected in December 2023, exploited zero-day vulnerabilities in Ivanti Connect Secure to infiltrate MITRE’s Networked Experimentation, Research, and Virtualization Environment (NERVE).
Web Shells and Backdoors: The Attackers’ Toolkit
The attackers leveraged a variety of sophisticated tools to gain and maintain access to the NERVE network. The initial compromise occurred through a compromised administrator account within MITRE’s VMware infrastructure. The attackers then deployed a Perl-based web shell, dubbed ROOTROT, which is linked to the China-based hacking group UNC5221. This web shell, concealed within a legitimate Ivanti file, provided initial access and persistence.
UNC5221 is no stranger to these tactics, known to utilize web shells such as BUSHWALK, CHAINLINE, FRAMESTING, and LIGHTWIRE in past campaigns.
The attackers’ arsenal extended further. They deployed BEEFLUSH, a previously unseen web shell, and BRICKSTORM, a Golang backdoor. These tools enabled remote command execution and communication with command-and-control (C2) servers.
Exploiting Zero-Days and Persistence Techniques
The attackers exploited two Ivanti Connect Secure zero-day vulnerabilities (CVE-2023–46805 and CVE-2024–21887) to infiltrate NERVE. They meticulously profiled the environment, establishing control of MITRE’s VMware infrastructure. Techniques like SSH manipulation and the execution of suspicious scripts solidified their persistent foothold. Just a day after the public disclosure of the Ivanti Connect Secure flaws, the attackers introduced the WIREFIRE web shell for clandestine communication and data exfiltration.
Defense Outmaneuvers Lateral Movement
Despite establishing a persistent presence within the NERVE network, attempts to spread laterally into other MITRE systems ultimately failed. This indicates robust defense mechanisms in place within the broader MITRE environment.
