MITRE has shared more details on the recently disclosed hack, including the new malware involved in the attack, attribution information, and a timeline of the attacker’s activities.
MITRE, a not-for-profit company operating R&D centers on behalf of US government sponsors, revealed on April 19 that hackers had targeted its Networked Experimentation, Research, and Virtualization Environment (NERVE), an unclassified collaborative network used for research, development, and prototyping.
The hackers gained initial access through the exploitation of Ivanti Connect Secure VPN device zero-day vulnerabilities tracked as CVE-2023-46805 and CVE-2024-21887.
The zero-days were leveraged by a cyberespionage group linked to China — tracked by Mandiant as UNC5221 — in targeted attacks for weeks before their existence came to light and Ivanti released mitigations. The list of victims included the cybersecurity agency CISA, which said the incident could affect up to 100,000 individuals.
MITRE initially blamed the attack on a state-sponsored threat actor, but did not share further details. In a follow-up post, the organization clarified that the indicators of compromise (IoCs) observed during its investigation into the incident overlap with those attributed by Mandiant to UNC5221. Mandiant describes the group as a “China-nexus espionage threat actor”.
Initially, MITRE said the attack occurred in early January, but it has now revealed that the first evidence of intrusion dates to December 31, 2023. That is when the hackers exploited the Ivanti zero-days for initial access to the NERVE network.
On January 4, 2024, the hackers started profiling the environment, interacting with VMware vCenter and ESXi hosts.
“Subsequently, they successfully logged into several accounts within the NERVE via RDP, leveraging hijacked credentials to access user bookmarks and file shares to gain insights into the network architecture,” MITRE said.
The next day, the adversary started manipulating virtual machines and established control over the compromised infrastructure.
In the following days, the threat actor deployed some malicious payloads, including a vCenter backdoor named BrickStorm and a previously unknown web shell named BeeFlush by MITRE.
On January 11, the day after the Ivanti zero-days came to light, the attacker deployed another web shell, named WireFire, and started preparing for data exfiltration. Data exfiltration occurred on January 19 and involved another web shell, named BushWalk.
MITRE only discovered the intrusion in April. Between mid-February and mid-March, the hackers maintained persistence in the NERVE environment and attempted lateral movement, but failed to pivot to other resources.
The organization, which is widely known for its ATT&CK knowledge base of adversary tactics and techniques, has made available technical details on each piece of malware involved in the attack, along with additional IoCs.
The Ivanti product vulnerabilities used in the MITRE hack have been widely exploited since their existence became publicly known, being leveraged to compromise hundreds of devices, including ones housed by government, telecoms, defense and tech organizations. Proper patches were only released in late January.
Related: Ivanti CEO Vows Cybersecurity Makeover After Zero-Day Blitz
Related: Ivanti Vulnerability Exploited to Deliver New ‘DSLog’ Backdoor
Related: Ivanti EPMM Vulnerability Targeted in Attacks as Exploitation of VPN Flaws Increases