China-linked hackers used a variety of backdoors and Web shells to compromise the MITRE Corporation late last year.
Last month, it was revealed that MITRE, widely known for its Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework, had been exploited by Ivanti Connect Secure zero-day flaws. The hackers secured access to the Networked Experimentation, Research, and Virtualization Environment (NERVE), an unclassified research and development network.
On May 3, MITRE disclosed further details regarding five distinct payloads used in an attack that spanned from New Year's Eve to mid-March.
MITRE perpetrators infected it with the "Rootrot" web shell as a New Year's present in 2023. Rootrot is meant to implant itself in a valid Ivanti Connect Secure TCC file, allowing them to conduct reconnaissance and lateral movement within the NERVE system.
The tool was created by the Chinese advanced persistent threat (APT) group UNC5221, which was also responsible for the first wave of alleged Ivanti-based attacks. Dark Reading had previously linked MITRE's intrusion to UNC5221, but retracted that detail at MITRE's request.
After getting initial access and probing about, the criminals employed their compromised Ivanti appliance to connect to and ultimately seize control of NERVE's virtual environment. Then they infected several virtual machines (VMs) using multiple payloads.
There was "Brickstorm," a Golang-based backdoor for VMware vCenter servers that appeared in two versions on MITRE's network. It can configure itself as a Web server, communicate with a command-and-control (C2) server, conduct SOCKS relaying, execute shell commands, and upload, download, and manipulate file systems.
Following Brickstorm came the Wirefire (or Gifted Visitor) Web shell, a Python-based utility for uploading files and running arbitrary scripts. The attackers first installed it on their compromised Ivanti appliance on January 11, the day after the first batch of Ivanti vulnerabilities were made public.
MITRE later discovered that the attackers were using the Perl-based Web shell Bushwalk to carry out command-and-control operations. Notably, this was an entirely different type than the Bushwalk, which Mandiant had previously reported on.
The attack also included a previously undocumented Web shell called "Beeflush," which is renowned for its ability to read and encrypt web traffic data.
To conclude its blog post, MITRE emphasised the importance of secure by design and zero trust movements, as well as regular authentication policies and software bill of materials (SBOMs).