MITRE recently shared findings from its own cyberattack in a blog post, revealing how Chinese state-sponsored threat actor UNC5221 used rogue virtual machines (VMs) to avoid detection and establish a permanent presence in MITRE’s VMware environment. The attackers gained initial access using two zero-day attacks against Ivanti Connect Secure in January, with the attack being discovered in April.
The blog post delves into the tactics used by the attackers to remain concealed within MITRE’s VMware environment. The attackers, already possessing administrative access to MITRE’s NERVE ESXi infrastructure, utilized the default VPXUSER service account to create rogue VMs directly on the hypervisor, bypassing detection through the vCenter management console. These rogue VMs housed a backdoor called BRICKSTORM which allowed communication with the attackers’ command-and-control (C2) servers and administrative subnets within NERVE. Additionally, a JSP web shell called BEEFLUSH was installed under the vCenter Server’s Tomcat server to run a Python-based tunneling tool creating SSH connections between rogue VMs and ESXi hypervisors.
To detect and mitigate rogue VMs in your VMware environment, MITRE recommends monitoring for unusual SSH activity and manually checking for unregistered VMs using specific command lines. Checking for tampering with the /etc/rc.local.d/local.sh file can also indicate an attacker attempting to establish persistence. Scripts like MITRE’s Invoke-HiddenVMQuery and CrowdStrike’s VirtualGHOST can automatically detect anomalies in VMware environments. Furthermore, MITRE and VMware‘s Product Security Incident Response Team (PSIRT) advocate for enabling secure boot as the most effective countermeasure against the persistence mechanism.
In conclusion, MITRE’s blog post sheds light on the sophisticated tactics employed by cyber attackers to evade detection and maintain a foothold in a target organization’s VMware environment. By understanding these tactics and implementing the recommended practices for detecting and containing rogue VMs, organizations can better safeguard their virtualized infrastructures against potential threats and intrusions.
VMware-rogue-vms-used-in-its-own-cyberattack”>Article Source