Hackers Developed Malicious VMs to Avoid Detection in Latest MITRE Cyber Attack -

Post Views: 98

Hackers Developed Malicious VMs to Avoid Detection in Latest MITRE Cyber Attack

MITRE Corporation has disclosed that the cyber attack that targeted the non-profit organization around the end of December 2023 by leveraging zero-day defects in Ivanti Connect Secure (ICS) involves the threat actor building malicious virtual machines (VMs) within its VMware infrastructure. This information was disclosed by MITRE Corporation.

According to researchers from MITRE named Lex Crumpton and Charles Clancy, “The attacker built their own malicious VMs within the VMware setting, exploiting compromised vCenter Server access.”

“They wrote and deployed a JSP web shell (BEEFLUSH) under the vCenter Server’s Tomcat server to run a Python-based tunneling tool, enabling SSH connections between adversary-created VMs and the ESXi hypervisor infrastructure.”

This move is being made with the intention of evading discovery by concealing their harmful activities from centralized management interfaces such as vCenter. Additionally, the goal is to maintain permanent access while simultaneously lowering the likelihood of being discovered.

Last month, MITRE disclosed that the China-nexus threat actor, which was being tracked by Google-owned Mandiant under the name UNC5221, had penetrated its Networked Experimentation, Research, and Virtualization Environment (NERVE) by leveraging two vulnerabilities in the Industrial Control System (ICS) known as CVE-2023-46805 and CVE-2024-21887. This information gave rise to the details of the attack.

As soon as the adversary was able to circumvent multi-factor authentication and establish an initial foothold, they moved laterally across the network and utilized a compromised administrator account to gain control of the VMware infrastructure. They then deployed a variety of backdoors and web shells in order to maintain access and harvest credentials.

This was comprised of a Golang-based backdoor known as BRICKSTORM that was contained within the rogue virtual machines (VMs), as well as two web shells known as BEEFLUSH and BUSHWALK. These shells enabled UNC5221 to carry out arbitrary commands and connect with command-and-control servers.

“The attacker additionally utilized a default VMware account, VPXUSER, to make seven API calls that listed a list of mounted and unmounted drives,” according to MITRE researchers.

Through the use of the graphical user interface (GUI), it is difficult to identify and manage rogue virtual machines (VMs) since they operate outside of the conventional management processes and do not comply with the established security regulations. Instead, one needs to make use of specialized tools or methods in order to properly identify and manage the dangers that are connected with rogue virtual machines (VMs).

The use of a secure boot, which prohibits unwanted modifications by checking the integrity of the boot process, is an effective countermeasure that may be taken against the subtle efforts that threat actors make to avoid discovery and keep access.

The business also said that it will be making two PowerShell scripts, namely Invoke-HiddenVMQuery and VirtualGHOST, available to the public in order to assist in identifying and mitigating possible vulnerabilities that may be present within the VMware environment.

“As attackers keep improving their tactics and techniques, it is important that businessesstay vigilant and flexible in guarding against cyber threats,” according to MITRE researchers.

About The Author:

Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blog, he’s also written for brands including CollegeDunia, Utsav Fashion, and NASSCOM. Naager entered the field of content in an unusual way. He began his career as an insurance sales executive, where he developed an interest in simplifying difficult concepts. He also combines this interest with a love of narrative, which makes him a good writer in the cybersecurity field. In the bottom line, he frequently writes for Craw Security.

READ MORE ARTICLE HERE