Analysis Summary

According to information released by the MITRE Corporation, the threat actor in the cyberattack that targeted the non-profit organization in late December 2023 used rogue virtual machines (VMs) in its VMware environment to take advantage of zero-day vulnerabilities in Ivanti Connect Secure (ICS).

Using access to compromised vCenter Servers, the attacker built their rogue virtual machines (VMs) within the VMware environment. They developed and implemented BEEFLUSH, a JSP web shell, under the Tomcat server of vCenter Server to run a Python-based tunneling tool, enabling SSH connections between VMs produced by adversaries and the ESXi hypervisor infrastructure.

By hiding their malicious activity from centralized management interfaces like vCenter, they hope to evade discovery and preserve persistent access while decreasing the likelihood of being detected. The attack's details surfaced last month when MITRE disclosed that the threat actor with a China attribution, UNC5221, had compromised its Networked Experimentation, Research, and Virtualization Environment (NERVE) by taking advantage of two ICS vulnerabilities, CVE-2023-46805 and CVE-2024-21887. The threat actor was being tracked by Google-owned Mandiant.

After getting past multi-factor authentication and getting a foothold, the attacker moved laterally through the network, using a compromised administrator account to take over the VMware infrastructure. To maintain access and collect credentials, the attacker used a variety of backdoors and web shells. UNC5221 was able to connect with command-and-control servers and execute arbitrary commands thanks to two web shells called BEEFLUSH and BUSHWALK, as well as a Golang-based backdoor nicknamed BRICKSTORM that was implanted into the rogue virtual machines.

The adversary additionally made seven API calls that listed all mounted and unmounted drives using the default VMware user, VPXUSER. Because rogue virtual machines (VMs) operate outside of established security regulations and conventional administration processes, it can be challenging to identify and manage them using a GUI alone. Instead, to properly identify and reduce the hazards connected to rogue virtual machines, one needs specialized tools or procedures.

Enabling a secure boot, which stops unwanted changes by confirming the integrity of the boot process, is a useful defense against threat actors' cunning attempts to elude detection and maintain persistence. To assist in locating and reducing possible risks within the VMware environment, the company has announced that it is making two PowerShell scripts available; VirtualGHOST and Invoke-HiddenVMQuery. Organizations must be alert and flexible in their defense against cyberattacks as adversaries continue to alter their strategies and methods.

Impact

• Unauthorized Access
• Credential Theft
• Command Execution

Indicators of Compromise

IP

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Implement multi-factor authentication to add an extra layer of security to login processes.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.