MITRE Offers Initial Findings of the Cyberattack on Its NERVE Network

Delving into the cyber intrusion disclosed by MITRE on April 19, 2024, which impacted its Networked Experimentation, Research, and Virtualization Environment (NERVE), MITRE Enguinity has unveiled new insights. The intrusion, traced back to activity as early as December 31, 2023, involved the exploitation of two zero-day vulnerabilities in Ivanti Connect Secure: CVE-2023-46805, an authentication bypass vulnerability, and CVE-2024-21887, a command injection vulnerability. These vulnerabilities provided the initial access points for the attackers, in an intrusion involving the deployment of several web shells, and infiltrating MITRE's environment. The ongoing investigation has revealed potential links between the threat actor and UNC5221, a Chinese-aligned group identified by Mandiant on April 4, 2024. The activities of this threat actor coincide with the timeline of MITRE’s intrusion, notably their use of the specified Ivanti zero-day vulnerabilities.

The cyberattack on MITRE's NERVE environment commenced with the deployment of the ROOTROT web shell on an externally-facing Ivanti appliance utilizing the two critical zero-day vulnerabilities in Ivanti Connect Secure software on December 31, 2023. This initial compromise with ROOTROT enabled sustained access into MITRE’s network, setting the stage for extensive exploitation and command execution within the NERVE network. From there, the attackers began profiling the environment by interacting with vCenter and accessing multiple ESXi hosts. By January 4, 2024, MITRE noted an escalation in their activities, observing that the attackers had "logged into several accounts within the NERVE via RDP, leveraging hijacked credentials to access user bookmarks and file shares to gain insights into the network architecture."

From January 5 to January 19, 2024, the adversary manipulated VMs within MITRE's NERVE environment, enhancing their control over the compromised network. Leveraging compromised administrative credentials, the attackers adjusted VM settings and configurations, including attempts to enable SSH. They deployed various malicious tools such as the BRICKSTORM backdoor, the BEEFLUSH web shell, and a Python script which incorporated the WIREFIRE (also referred to as GIFTEDVISITOR) web shell, within the Ivanti appliance's Python environment facilitating persistent access and the execution of arbitrary commands. These tools were pivotal in allowing them to directly interact with the network’s command-and-control servers and perform a series of actions aimed at further compromising the network. They manipulated VMware's management APIs to enumerate system drives and deploy additional VMs, adhering to local naming conventions to seamlessly integrate with legitimate traffic and operations. MITRE reports that a VMware default account vpxuser, using the VMware vSphere Management API pyvmomi, made seven API calls that enumerated a list of mounted and unmounted drives. This period also saw the creation and subsequent deletion of VMs, illustrating the attackers’ attempt to maintain a low profile while expanding their footprint within the network.

Following the public disclosure of the Ivanti vulnerabilities in mid-January, the attackers prepared for data exfiltration by staging stolen data on the Ivanti help website, using encoded files to facilitate discreet data extraction. They continuously exploited web shells to execute commands and scripts, thereby advancing their control over the network. This phase culminated in the exfiltration of data by mid-January. From mid-February to mid-March, the attackers shifted their focus towards lateral movement attempts within the network to access other critical systems and potentially exfiltrate sensitive information. MITRE notes, "Despite unsuccessful attempts to pivot to other resources, the adversary persisted in accessing other virtual environments within vCenter."

MITRE's contributions to research and innovation have greatly benefited the cybersecurity community. Despite facing a significant security breach, the organization's transparency in sharing detailed insights about the intrusion offers invaluable lessons on the tactics and objectives of cyber adversaries. As MITRE continues to unravel the complexities of this breach, its findings are crucial in helping the community understand the sophisticated nature of state-aligned cyber espionage. This incident highlights the strategic use of zero-day vulnerabilities and meticulous execution by adversaries to compromise and maintain control within high-value networks.