Exploiting VMware: Examining the MITRE NERVE Cyberattack and its Business Takeaways

If attackers can breach a global cybersecurity expert, is any company safe?

By Ben Lipczynski
Head of Security Services, Origina

In April 2024, MITRE, a nonprofit organization that operates federally funded research and development centers for various U.S. government agencies, disclosed an attack against its Networked Experimentation, Research, and Virtualization Environment (NERVE), a collaborative network used for research, development, and prototyping, by a Chinese nation-state adversary.

Known for its extensive work in aviation, defense, healthcare, homeland security, and cybersecurity, MITRE is also famous for its ATT&CK framework, a free, globally accessible resource providing comprehensive cybersecurity threat information.

How Did the MITRE Cyberattack Unfold?

To gain initial access, the attackers exploited two zero-day vulnerabilities in Ivanti Connect Secure, a remote access VPN identified as CVE-2023-46805 (CVSS score 8.2) and CVE-2024-21887 (CVSS score 9.1). They deployed the Rootrot web shell, which provided the backdoor for persistent access.

After gaining initial access, the attackers hijacked sessions and used RDP over HTML5 to move within MITRE’s network. They gained entrance to vCenter from the compromised Ivanti appliance, interacted with multiple ESXi hosts, and used hijacked credentials to log into user accounts, mapping the network topology.

Exploiting VMware

The attackers then deployed malicious payloads, including the Brickstorm backdoor, known as a “Golang-based backdoor for VMware vCenter servers,” according to Dark Reading, and the Beeflush web shell, establishing persistent access and enabling command execution and communication with command-and-control (C2) servers.

The attackers manipulated MITRE’s VMware infrastructure by using compromised administrative credentials they authenticated from an internal NERVE IP address, created new VMs, and logged into them, while the Beeflush web shell facilitated internal communications and executed suspicious scripts within the vCenter server.

Following Ivanti’s disclosure of the zero-day vulnerabilities, the attackers prepared for data exfiltration. They used the Ivanti help website as a staging area, uploaded a Python script containing the Wirefire web shell (a Python-based implant), and exfiltrated data using their hijacked C2 infrastructure.

The adversary maintained a presence over the next two months, trying further lateral movements within MITRE’s systems despite unsuccessful attempts to pivot to other resources.

What Does the MITRE Attack Mean for Businesses?

This incident is a reminder that any company, including one such as MITRE, can fall victim to a large-scale cyberattack. Advanced threat actors across the globe have increasingly targeted corporate victims as they attempt to steal secrets, gauge responses, and search for avenues of disruption. Hackers are likewise highly prevalent, skilled, and motivated, and their skills are often available to the highest bidder.

Despite following best practices and upgrading their systems, MITRE did not detect the lateral movement into the VMware infrastructure. To enhance detection and prevention of similar attacks, we recommend using the following strategies:

• Regularly update protective controls with known Indicators of Compromise (IOCs) and malicious IP addresses achievable though tailored threat intelligence.
• Segment networks and maintain a baseline of normal behavior to identify anomalies.
• Use the Principle of Least Privilege and Principle of Least Functionality, along with multi-factor authentication, to monitor access to privileged accounts.
• Conduct routine software security assessments to identify and mitigate vulnerabilities in enterprise software estates.
• Keep an eye out for anomalies like unusual login times or activity from unexpected areas.
• Verify the integrity of the boot process, which will reduce unauthorized modifications.
• Compare VM lists from vim-cmd (API-based checks) and esxcli (host hypervisor checks) to detect rogue virtual machines. Discrepancies between these lists might indicate unregistered or rogue VMs, warranting further investigation.

This attack on MITRE underscores the need for continuous vigilance that leverages monitoring and intelligence and proactive measures to protect infrastructure from sophisticated adversaries.

Secure your perpetually licensed VMware products. Learn more about Origina’s VMware maintenance and support program.