MITRE Corporation reported a cyber attack on their non-profit organization at the end of December 2023. The attackers exploited zero-day vulnerabilities in Ivanti Connect Secure (ICS) to generate fake virtual machines in VMware.
The attackers managed to breach the VCENTER server and established their own virtual machines within VMware. By implementing the JSP (Beeflush) web on the Vceller Tomcat server, they launched the Python tunneling tool, enabling them to create SSH connections between the fake virtual machines and the ESXI hypervisor infrastructure.
The primary objective of the attack was to evade detection and maintain continual access by concealing their activities from the centralized control interface. The details of the attack surfaced in April when Mitre revealed a similar attack by the Chinese group UNC5221 on the NERVE research environment using ICS vulnerabilities CVE-2023-46805 and CVE-2024-21887.
Following multifactor authentication and initial access, the hackers progressed through the network using compromised administrator accounts to manipulate the VMware infrastructure. They deployed various backdoors and web shells like the Brickstorm backdoor in the Code of GO, as well as the Beeflush and Bushwalk web shells to maintain access and steal sensitive data.
Additionally, the attackers leveraged the standard VMware VPXUSER account to conduct API checks for connected and disconnected disks. Experts note that fake virtual machines operate outside established security protocols, making them challenging to detect and control through a graphical interface. Specialized tools or methods are necessary to identify and mitigate the risks associated with such machines.
One effective countermeasure against such attacks is to implement secure booting to prevent unauthorized modifications and verify the integrity of the booting process. MITRE also provided two PowerShell scripts [1] and [2] to identify and eliminate potential threats in VMware.