Chinese Hackers Deployed Backdoor Quintet to Down MITRE

  /     /     /  
Publicated : 23/11/2024   Category : security


Chinese Hackers Deployed Backdoor Quintet to Down MITRE


MITREs hackers made use of at least five different Web shells and backdoors as part of their attack chain.



China-linked hackers deployed a roster of different backdoors and Web shells in the process of
compromising the MITRE Corporation
late last year.
Last month news broke that MITRE, best known for its Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework, was breached through
Ivanti Connect Secure zero-day vulnerabilities
. The hackers accessed its Networked Experimentation, Research, and Virtualization Environment (NERVE), an unclassified research and development network.
On May 3, MITRE
filled in some more details
about five unique payloads deployed as part of an attack that lasted from New Years Eve all the way through mid-March.
As a present for New Years 2023, MITREs attackers infected it with the Rootrot web shell. Rootrot is designed to embed itself into a legitimate Ivanti Connect Secure TCC file, and it enabled them to perform reconnaissance and lateral movement within the NERVE environment.
The tool was designed by the Chinese advanced persistent threat (APT) UNC5221, the same group responsible for the
initial wave of reported Ivanti-based attacks
. Dark Reading previously attributed MITREs breach to UNC5221, but retracted that detail at MITREs request.
After gaining initial access and poking around a bit, the attackers used their compromised Ivanti appliance to connect with and then take control inside of NERVEs virtual environment. Then they infected a number of virtual machines (VMs) with a variety of payloads.
There was Brickstorm, a Golang-based backdoor for VMWare vCenter servers which arrived in two versions on MITREs network. It can set itself up as a Web server, communicate with a command-and-control (C2) server, perform SOCKS relaying, run shell commands, and upload from, download to, and manipulate file systems.
After Brickstorm came the Wirefire (aka Gifted Visitor) Web shell, a Python-based tool for uploading files and executing arbitrary commands. The attackers first uploaded it to their compromised Ivanti appliance on Jan. 11, the day after the first set of Ivanti vulnerabilities were publicly disclosed.
Later, MITRE observed the attackers performing command-and-control via the Perl-based Web shell, Bushwalk. Notably, though, this was a different variant than the Bushwalk
reported on at the time
by Mandiant.
There was also a previously undocumented Web shell used in the attack, Beeflush, notable for how it reads and encrypts Web traffic data.
To conclude its blog post, MITRE highlighted the value of the
secure by design
and zero trust movements, as well as continuous authentication policies and
software bills of material (SBOMs)
.
Their own susceptibility to cyberattacks does not necessarily undermine their credibility or the value of the ATT&CK framework, emphasizes Callie Guenther, cyber threat research manager at Critical Start. The very nature of cybersecurity involves an ongoing battle between threat actors and defenders, and even the most secured and knowledgeable organizations can fall victim to cyberattacks, especially when these involve zero-day vulnerabilities.
The reality is this situation highlights the need for continued vigilance, improvement, and adaptation in cybersecurity measures, even among leading organizations, she says.

Last News

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Chinese Hackers Deployed Backdoor Quintet to Down MITRE