MITRE Corporation announced that a cyberattack on a nonprofit in late December 2023 exploited zero-day vulnerabilities in Ivanti Connect Secure (ICS) by creating rogue virtual machines (VMs) within its VMware environment. The threat actor, linked to China and tracked by Mandiant as UNC5221, accessed the Networked Experimentation, Research, and Virtualization Environment (NERVE) by exploiting ICS vulnerabilities. The attacker bypassed multi-factor authentication, gained control of the VMware infrastructure, and deployed backdoors and web shells. These included a Golang-based backdoor named BRICKSTORM and web shells named BEEFLUSH and BUSHWALK. Rogue VMs ran outside standard management processes, making them difficult to detect. MITRE recommends enabling secure boot and using PowerShell scripts to identify and mitigate threats within the VMware environment. Organizations are advised to remain vigilant and adaptable in defending against cyber threats.
Article Source
