China-Linked Hackers Used ROOTROT Webshell in MITRE Network Intrusion
-
The MITRE Corporation has provided additional details about a cyber attack it recently disclosed, revealing that the intrusion began as early as December 31, 2023. The attack targeted MITRE's Networked Experimentation, Research, and Virtualization Environment (NERVE) by exploiting two zero-day vulnerabilities in Ivanti Connect Secure, tracked as CVE-2023–46805 and CVE-2024–21887.
The attackers maneuvered within the research network using a compromised administrator account and deployed backdoors and web shells to maintain persistence and harvest credentials. The initial access was gained by dropping a Perl-based web shell called ROOTROT, embedded into a legitimate Connect Secure .ttc file.
The attack was attributed to a China-nexus cyber espionage cluster known as UNC5221, which has been linked to other web shells such as BUSHWALK, CHAINLINE, FRAMESTING, and LIGHTWIRE. The threat actor profiled the NERVE environment, established communication with ESXi hosts, and gained control over MITRE's VMware infrastructure, deploying a Golang backdoor called BRICKSTORM and an undocumented web shell named BEEFLUSH.
Subsequent actions by the threat actor included deploying another web shell called WIREFIRE for covert communication and data exfiltration after the public disclosure of the vulnerabilities. The adversary attempted lateral movement within NERVE from February to mid-March but was unsuccessful in moving into MITRE systems beyond the research environment.
MITRE researcher Lex Crumpton explained that the adversary utilized techniques like SSH manipulation and execution of suspicious scripts to maintain control over compromised systems. The attack highlights the sophisticated tactics employed by cyber espionage groups and underscores the importance of robust cybersecurity measures to defend against such threats.
ที่มาแหล่งข่าว
https://thehackernews.com/2024/05/china-linked-hackers-used-rootrot.html
