The MITRE Corporation has published additional technical details on the April cyber intrusion, where a suspected state-sponsored threat actor gained access to the organization’s Networked Experimentation, Research, and Virtualization Environment (NERVE), a collaborative network used for research, development, and prototyping.

As MITRE CTO Charles Clancy and principal cybersecurity engineer Lex Crumpton explained at the time, the attackers exploited one of the organization’s Virtual Private Networks (VPNs) through two Ivanti Connect Secure zero-day vulnerabilities (CVE-2023-46805, CVE-2024-21887) and bypassed multi-factor authentication using session hijacking.

The threat actor then moved laterally and accessed the network’s VMware infrastructure via a compromised administrator account. The attackers employed a combination of sophisticated backdoors and webshells to maintain persistence and harvest credentials.

In an update published over the weekend, Lex Crumpton said that the earliest signs of the intrusion date back to December 31, 2023, with the advisory deploying a web shell named “Rootrot” on an external-facing Ivanti appliance, thus gaining initial access to NERVE, a MITRE prototyping network.

The Rootrot web shell, according to cybersecurity firm Mandiant, has been attributed to a China-nexus cluster tracked as UNC5221. Rootrot is a web shell written in Perl embedded into a legitimate Connect Secure .ttc file located at /data/runtime/tmp/tt/setcookie.thtml.ttc by exploiting CVE-2023-46805 and CVE-2024-21887.

“By leveraging this access point, the adversary infiltrated the NERVE network, circumventing multi-factor authentication, and established a foothold for subsequent activities. The subsequent hijacking of sessions and utilization of RDP over HTML5 capabilities allowed the adversary to establish connections to systems within the NERVE,” Crumpton wrote.

The attackers then established communication with multiple ESXi hosts and logged into several accounts within the NERVE via RDP, leveraging hijacked credentials to access user bookmarks and file shares to gain insights into the network architecture.

After hijacking the infrastructure, the hackers accessed virtual machines and deployed the Brickstorm backdoor and Beeflush web shell to establish persistent access and execute arbitrary commands and communicate with command-and-control (C&C) servers.

Brickstorm is a Golang backdoor targeting VMware vCenter servers. The backdoor is able to set itself up as a web server, perform file system and directory manipulation, perform file operations such as upload/download, run shell commands, and perform SOCKS relaying. It communicates over WebSockets to a hard-coded C2. MITRE said it found two versions on its compromised network.

Further analysis revealed that the adversary also deployed two other web shells called Wirefire (aka Giftedvisitor) and Bushwalk to facilitate covert communication and data exfiltration. Both web shells were previously spotted in a UNC5221 campaign reported in January 2024.