By NewsBlogger MITRE Corporation experienced a cyber attack exploiting zero-day flaws in Ivanti Connect Secure. Threat actor UNC5221 deployed various backdoors and web shells to maintain access, highlighting the importance of vigilance against cyber threats.
At a glance
- MITRE Corporation was targeted in a cyber attack exploiting zero-day flaws in Ivanti Connect Secure (ICS).
- Threat actor UNC5221 created rogue virtual machines within MITRE’s VMware environment using a JSP web shell and Python-based tunneling tool.
- Various backdoors and web shells were deployed to retain access and harvest credentials.
- MITRE is providing PowerShell scripts to help identify and mitigate threats in the VMware environment.
- Ransomware attacks targeting VMware ESXi infrastructure have been increasing, emphasizing the need for monitoring, logging, backups, and network restrictions.
The details
MITRE Corporation fell victim to a cyber attack in late December 2023, exploiting zero-day flaws in Ivanti Connect Secure (ICS). The threat actor, UNC5221, a China-nexus group tracked by Mandiant, created rogue virtual machines within MITRE’s VMware environment.
They deployed a JSP web shell (BEEFLUSH) under the vCenter Server’s Tomcat server to execute a Python-based tunneling tool, aiming to maintain persistent access and bypass multi-factor authentication.
Various backdoors and web shells, including BRICKSTORM, BEEFLUSH, and BUSHWALK, were deployed to retain access and harvest credentials.
The adversary utilized a default VMware account, VPXUSER, to enumerate a list of drives and operate rogue VMs outside standard management processes.
MITRE is providing PowerShell scripts to help identify and mitigate threats in the VMware environment, stressing the importance of remaining vigilant against cyber threats.
Ransomware attacks targeting VMware ESXi infrastructure have increased, with virtualization platforms being a crucial component of organizational IT infrastructure.
Sygnia, a cybersecurity firm, highlighted the need for monitoring, logging, backups, authentication measures, hardening the environment, and network restrictions to mitigate risks.
A campaign distributing trojanized installers for WinSCP and PuTTY, dropping the Sliver post-exploitation toolkit and Cobalt Strike Beacon for ransomware deployment, has disproportionately affected IT teams.
New ransomware families like Beast, MorLock, Synapse, and Trinity have emerged. The MorLock group targets Russian companies and encrypts files without exfiltrating them.
Meanwhile, the pcTattletale spyware application website was defaced by a hacker who leaked over a dozen archives containing database and source code data.
The app, known as an “employee and child monitoring software,” was found leaking real-time screenshots from Android phones and capturing guest details and customer information from hotel check-in systems.
A security researcher discovered an API security vulnerability in pcTattletale that allowed access to screenshots made by the malware.
Despite attempts to contact the developers to address the flaw, the response was not immediate.
Microsoft tracks pcTattletale as a threat, and the hacker claimed to have used a Python exploit to extract pcTattletale’s AWS credentials, underscoring the importance of promptly addressing security vulnerabilities.
Article X-ray
Sources
Facts attribution
This section links each of the article’s facts back to its original source.
If you suspect false information in the article, you can use this section to investigate where it came from.
| thehackernews.com |
|---|
| – The cyber attack on MITRE Corporation in late December 2023 exploited zero-day flaws in Ivanti Connect Secure (ICS) – Rogue virtual machines (VMs) were created within MITRE’s VMware environment by the threat actor – A JSP web shell (BEEFLUSH) was deployed under the vCenter Server’s Tomcat server to execute a Python-based tunneling tool – The motive behind the attack was to avoid detection and maintain persistent access while reducing the risk of discovery – The threat actor was identified as UNC5221, a China-nexus group tracked by Mandiant – The attack involved exploiting ICS flaws CVE-2023-46805 and CVE-2024-21887 – The adversary bypassed multi-factor authentication and gained control of the VMware infrastructure – Various backdoors and web shells were deployed to retain access and harvest credentials – A Golang-based backdoor named BRICKSTORM and web shells BEEFLUSH and BUSHWALK were used by UNC5221 – A default VMware account, VPXUSER, was used to enumerate a list of drives – Rogue VMs operate outside standard management processes, making them difficult to detect and manage – Enabling secure boot can help prevent unauthorized modifications in the boot process – MITRE is providing PowerShell scripts to help identify and mitigate threats in the VMware environment – Organizations need to remain vigilant and adaptive in defending against cyber threats |
| thehackernews.com |
|---|
| – Ransomware attacks targeting VMware ESXi infrastructure follow an established pattern – Virtualization platforms are a core component of organizational IT infrastructure – Cybersecurity firm Sygnia shared findings on attacks on virtualization environments – Attacks on virtualization environments adhere to a similar sequence of actions – Recommendations to mitigate risks include monitoring, logging, backups, authentication measures, hardening the environment, and network restrictions – Cybersecurity company Rapid7 warned of an ongoing campaign distributing trojanized installers for WinSCP and PuTTY – Counterfeit installers drop the Sliver post-exploitation toolkit and Cobalt Strike Beacon for ransomware deployment – The campaign disproportionately affects members of IT teams – New ransomware families like Beast, MorLock, Synapse, and Trinity have emerged – MorLock group targets Russian companies and encrypts files without exfiltrating them – Global ransomware attacks in April 2024 registered a 15% decline from the previous month – LockBit’s reign as the threat actor with the most victims ended in April 2024 – Play and Hunters were the most active threat groups in April 2024 – Cyber criminals are advertising hidden Virtual Network Computing (hVNC) and remote access services like Pandora and TMChecker – TMChecker is used to check available compromised data for valid credentials to corporate VPN and email accounts |
| bleepingcomputer.com |
|---|
| – Hacker defaced pcTattletale spyware application website – Leaked over a dozen archives containing database and source code data – pcTattletale app was found leaking real-time screenshots from Android phones – Described as an “employee and child monitoring software” – Leaked guest details and customer information captured from hotels’ check-in systems – API security vulnerability allowed access to screenshots made by the malware – Security researcher Eric Daigle discovered the spyware in hotel systems – Daigle found a vulnerability in pcTattletale’s API allowing access to screen captures – Daigle’s attempts to contact developers to fix the flaw failed – pcTattletale developer described the software as “Spy Software” – Microsoft tracks pcTattletale as a threat – Hacker defaced pcTattletale’s website and leaked 20 archives containing source code and data – Hacker claims to have used a Python exploit to extract pcTattletale’s AWS credentials – Response from pcTattletale developer Bryan Fleming was not immediately available |
