The MITRE Corporation has revealed that a cyber attack targeted the non-profit company in late December 2023 by exploiting zero-day vulnerabilities in Ivanti Connect Secure (ICS) which involved creating rogue virtual machines within the VMware environment.
“The attacker created rogue VMs within the VMware environment, using compromised vCenter Server access,” said MITRE researchers Lex Crumpton and Charles Clancy.
“They deployed a JSP web shell (BEEFLUSH) under the vCenter Server’s Tomcat server to run a Python-based tunneling tool, enabling SSH connections between the adversary-created VMs and the ESXi hypervisor infrastructure.”
The purpose of this tactic was to evade detection by hiding malicious activities from centralized management interfaces like vCenter and maintain access while minimizing the risk of discovery.
Details of the attack were disclosed when MITRE revealed that the threat actor, tracked by Mandiant as UNC5221, breached its Networked Experimentation, Research, and Virtualization Environment (NERVE) by exploiting two ICS vulnerabilities CVE-2023-46805 and CVE-2024-21887.
After bypassing multi-factor authentication and gaining initial access, the attacker moved laterally through the network, leveraging compromised administrative credentials to take control of the VMware infrastructure to deploy various backdoors and web shells to maintain access and collect credentials.
This included a Golang-based backdoor named BRICKSTORM within the rogue VMs and two web shells known as BEEFLUSH and BUSHWALK for executing commands and communicating with command-and-control servers.
“The attacker also used a default VMware account, VPXUSER, to perform API calls that listed mounted and unmounted drives,” according to MITRE.
“Rogue VMs operate outside the standard management processes and security policies, making them challenging to detect and manage through GUI alone. Special tools or techniques are needed to effectively identify and mitigate the risks posed by rogue VMs.”
One effective countermeasure against stealthy attempts by threat actors to evade detection and maintain access is enabling secure boot, which prevents unauthorized modifications by verifying the boot process’s integrity.
The company is also providing two PowerShell scripts, Invoke-HiddenVMQuery and VirtualGHOST, to assist in identifying and mitigating potential threats within the VMware environment.
“As adversaries evolve their tactics and techniques, organizations must remain vigilant and adaptable in defending against cyber threats,” MITRE emphasized.
