Chinese Hackers Deployed Backdoor Quintet to Down MITRE

China-linked hackers deployed a roster of different backdoors and Web shells in the process of compromising the MITRE Corporation late last year.

Last month news broke that MITRE, best known for its Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework, was breached through Ivanti Connect Secure zero-day vulnerabilities. The hackers accessed its Networked Experimentation, Research, and Virtualization Environment (NERVE), an unclassified research and development network.

On May 3, MITRE filled in some more details about five unique payloads deployed as part of an attack that lasted from New Year's Eve all the way through mid-March.

The Payloads used Against MITRE

As a present for New Year's 2023, MITRE's attackers infected it with the "Rootrot" web shell. Rootrot is designed to embed itself into a legitimate Ivanti Connect Secure TCC file, and it enabled them to perform reconnaissance and lateral movement within the NERVE environment.

The tool was designed by the Chinese advanced persistent threat (APT) UNC5221, the same group responsible for the initial wave of reported Ivanti-based attacks. Dark Reading previously attributed MITRE's breach to UNC5221, but retracted that detail at MITRE's request.

After gaining initial access and poking around a bit, the attackers used their compromised Ivanti appliance to connect with and then take control inside of NERVE's virtual environment. Then they infected a number of virtual machines (VMs) with a variety of payloads.

There was "Brickstorm," a Golang-based backdoor for VMWare vCenter servers which arrived in two versions on MITRE's network. It can set itself up as a Web server, communicate with a command-and-control (C2) server, perform SOCKS relaying, run shell commands, and upload from, download to, and manipulate file systems.

After Brickstorm came the Wirefire (aka Gifted Visitor) Web shell, a Python-based tool for uploading files and executing arbitrary commands. The attackers first uploaded it to their compromised Ivanti appliance on Jan. 11, the day after the first set of Ivanti vulnerabilities were publicly disclosed.

Later, MITRE observed the attackers performing command-and-control via the Perl-based Web shell, Bushwalk. Notably, though, this was a different variant than the Bushwalk reported on at the time by Mandiant.

There was also a previously undocumented Web shell used in the attack, "Beeflush," notable for how it reads and encrypts Web traffic data.

To conclude its blog post, MITRE highlighted the value of the secure by design and zero trust movements, as well as continuous authentication policies and software bills of material (SBOMs).

"Their own susceptibility to cyberattacks does not necessarily undermine their credibility or the value of the ATT&CK framework," emphasizes Callie Guenther, cyber threat research manager at Critical Start. "The very nature of cybersecurity involves an ongoing battle between threat actors and defenders, and even the most secured and knowledgeable organizations can fall victim to cyberattacks, especially when these involve zero-day vulnerabilities."

"The reality is this situation highlights the need for continued vigilance, improvement, and adaptation in cybersecurity measures, even among leading organizations," she says.