MITRE said it has concluded an internal investigation into the April 2024 incident, where a China-linked threat actor breached its research collaboration network (NERVE) using two then zero-day vulnerabilities in the Ivanti Connect Secure product.

The attackers exploited one of the organization’s Virtual Private Networks (VPNs) through two Ivanti Connect Secure zero-day vulnerabilities (CVE-2023-46805, CVE-2024-21887) and bypassed multi-factor authentication using session hijacking.

The threat actor then moved laterally and accessed the network’s VMware infrastructure via a compromised administrator account. The attackers employed a combination of sophisticated backdoors and webshells to maintain persistence and harvest credentials.

The earliest signs of the intrusion date back to December 31, 2023, with the advisory deploying a web shell named “Rootrot” on an external-facing Ivanti appliance. The Rootrot web shell, according to cybersecurity firm Mandiant, has been attributed to a China-nexus cluster tracked as UNC5221.

After hijacking the infrastructure, the hackers accessed virtual machines and deployed the Brickstorm backdoor and Beeflush web shell to establish persistent access and execute arbitrary commands and communicate with command-and-control (C&C) servers.

In the latest update to its technical blog detailing the adversary maneuvers within the network and the VMware infrastructure, MITRE said that the attackers set up their own rogue VMs within the VMware environment, using compromised vCenter Server access. The intruders deployed a JSP web shell (Beeflush) under the vCenter Server’s Tomcat server to execute a Python-based tunneling tool, facilitating SSH connections between attacker-controlled VMs and the ESXi hypervisor infrastructure.

“By deploying rogue VMs, adversaries can evade detection by hiding their activities from centralized management interfaces like vCenter. This allows them to maintain control over compromised systems while minimizing the risk of discovery,” the blog post notes.

The threat actor evaded detection mechanisms by deploying rogue VMs, as VPXUSER, directly onto hypervisors. They used SFTP to upload files and then executed them with /bin/vmx. As a result, these rogue VMs were not detectable via vCenter, the ESXi web interface, or even certain on-hypervisor command-line utilities that query the API.

The rogue VMs contained the Brickstorm backdoor and persistence mechanisms that were configured with dual network interfaces, enabling communication with both the internet and C&C and the core administrative subnets within the prototyping network.

“Safeguarding against rogue VMs and any ensuing persistence demands a vigilant approach. Simply using the hypervisor management interface to manage VMs is often insufficient and can be pointless when it comes to dealing with rogue VMs,” the blog post said. “This is because rogue VMs operate outside the standard management processes and do not adhere to established security policies, making them difficult to detect and manage through the GUI alone. Instead, one needs special tools or techniques to identify and mitigate the risks associated with rogue VMs effectively.”