Network Security, Threat Intelligence, Breach

MITRE shares lessons on VMware rogue VMs used in its own cyberattack

MITRE shared new lessons from its own cyberattack in a blog post Wednesday, describing how China state-sponsored threat actor UNC5221 used rogue virtual machines (VMs) to evade detection and establish persistence in its VMware environment.

MITRE’s Networked Experimentation, Research, and Virtualization Environment (NERVE) was compromised in January with the threat actors leveraging two Ivanti Connect Secure zero-days for initial access. The intrusion was discovered in April.

The latest blog post dives further into the tactics MITRE’s cyberattackers used to persist undetected in the organization’s VMware environment. The attackers, having already gained administrative access to the MITRE NERVE ESXi infrastructure, used the default service account VPXUSER to create several rogue VMs.

The rogue VMs remained hidden due to their creation via VPXUSER directly on the hypervisor instead of through the vCenter administrative console, the blog post explained. Accounts created this way do not appear in the vCenter inventory.

The attackers deployed a backdoor called BRICKSTORM within the rogue VMs, enabling communication with both the attacker’s command-and-control (C2) servers and administrative subnets within NERVE, MITRE said. They also deployed the JSP web shell BEEFLUSH under the vCenter Server’s Tomcat server to execute a Python-based tunneling tool that created SSH connections between the rogue VMs and ESXi hypervisors.

How to detect rogue VMs in your VMware environment

The MITRE blog concluded with recommended methods for VMware users to detect and mitigate rogue VMs and other suspicious activity.

Users should monitor their environments for unusual SSH activity, such as unexpected “SSH login enabled” and “SSH session was opened” messages, the blog stated. Administrators can manually check for unregistered VMs by using the command lines “vim-cmd vmsvc/getallvms” and “esxcli vm process list | grep Display” and comparing the vim-cmd output with the VM list from esxcli.

The blog post also provided instructions for detecting manipulation of the file “/etc/rc.local.d/local.sh” that can indicate an attacker is attempting to establish persistence. Two scripts – Invoke-HiddenVMQuery by MITRE and VirtualGHOST by CrowdStrike – can also help automatically detect anomalies in VMware environments.

Lastly, MITRE and VMware’s Product Security Incident Response Team (PSIRT) say enabling secure boot is “the most effective countermeasure to thwart the persistence mechanism.”

Related

Cyber threat detection capabilities of SIEM tools lagging

Only 19% of MITRE ATT&CK techniques leveraged by threat actors could be detected by major enterprise security information and event management tools, including those from Microsoft, Splunk, IBM, and Sumo Logic, despite the presence of data that could allow the identification of 87% of such techniques, reports SiliconAngle.

Persistent long-running Pakistani malware campaign discovered

Organizations and individuals in the government, defense, and technology sectors across India have been targeted by Pakistan-linked threat group Cosmic Leopard, also known as SpaceCobra, in attacks with the GravityRAT Android malware and HeavyLift Windows malware loader as part of Operation Celestial Force, which has been ongoing since 2018, reports The Hacker News.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.