MITRE Engenuity’s deep-dive analyzes a nation-state intrusion into MITRE’s NERVE environment, detailing actor behavior, techniques, and novel persistence tools. The post links observed indicators to UNC5221 and reveals new web shells like BEEFLUSH and BRICKSTORM alongside a comprehensive attack timeline. #ROOTROT #UNC5221 #Ivanti #BRICKSTORM #BEEFLUSH #WIREFIRE #GIFTEDVISITOR #BUSHWALK #NERVE
Keypoints
- MITRE Engenuity connects observed activity to the China-nexus UNC5221 threat actor and notes novel indicators not previously reported by Mandiant.
- Initial access was achieved through Ivanti Connect Secure zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887) deploying the ROOTROT web shell on an exposed appliance.
- Adversaries profiled MITRE’s NERVE environment, logged into accounts via RDP, and harvested credentials to map the network and access shares.
- VM manipulation and infrastructure control included creating new VMs, using pyvmomi calls, and deploying BRICKSTORM and BEEFLUSH for persistence and C2.
- Data exfiltration occurred through the BUSHWALK web shell and Ivanti staging endpoints, culminating in external traffic to a compromised C2 channel (e.g., 172.75.64[.]253).
- A mid-February to mid-March phase focused on lateral movement attempts and persistence within vCenter, with unsuccessful pivots but ongoing access attempts.
- The analysis presents detailed malware artifacts (ROOTROT, WIREFIRE/GIFTEDVISITOR, BUSHWALK, BRICKSTORM, BEEFLUSH) and their roles in reconnaissance, C2, and exfiltration.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – The adversary deployed the ROOTROT web shell on an external-facing Ivanti appliance, gaining initial access to NERVE and exploiting zero-days for unauthorized access. ‘The adversary deployed the ROOTROT web shell … on an external-facing Ivanti appliance, gaining initial access to NERVE … leveraging multiple Ivanti Connect Secure zero-day vulnerabilities’
- [T1078] Valid Accounts – Hijacked administrator credentials were used to log into MITRE’s environment, enabling internal access and reconnaissance. ‘The adversary logged into several accounts within the NERVE via RDP, leveraging hijacked credentials to access user bookmarks and file shares’
- [T1021.001] Remote Services – Remote access via RDP facilitated internal movement after credential compromise. ‘logged into several accounts within the NERVE via RDP’
- [T1059.004] Unix Shell – Commands are executed from a Unix shell context, including /bin/sh usage during intrusion. ‘exploited … including … /bin/sh commands from the /tmp directory’
- [T1059.006] Python – The adversary used Python for script execution, including uploading and running Python-based components. ‘The adversary uploaded a Python script, visits.py, that contained the WIREFIRE (aka GIFTEDVISITOR) web shell …’
- [T1505.003] Web Shell – Web shells (ROOTROT, BEEFLUSH, BRICKSTORM) provided persistence and covert command execution/C2. ‘BRICKSTORM backdoor and a web shell MITRE called BEEFLUSH. These actions established persistent access and allowed the adversary to execute arbitrary commands and communicate with command-and-control servers.’
- [T1041] Exfiltration Over C2 Channel – Data exfiltration occurred via C2 infrastructure and staging endpoints. ‘The adversary exfiltrated data from the NERVE using command-and-control infrastructure’
Indicators of Compromise
- [IP Address] 172.75.64.253, 172.75.64[.]253 – exfiltration activity to external C2; observed in traffic to the BUSHWALK/C2 infrastructure
- [URL/Endpoint] /dana-na/help/, /dana-na/jam/querymanifest.cgi – staging and data-exfiltration endpoints used on the Ivanti appliance
- [File/Directory] /mnt/cpt/tmpd, /bin/httpd – BRICKSTORM artifacts located in VM directories and their persistence paths
- [File/Directory] /home/venv3/lib/Python3.6/site-packages/cav-0.1-py3.6.egg – container for WIREFIRE/GIFTEDVISITOR web shell payloads
- [Malware] ROOTROT, WIREFIRE (GIFTEDVISITOR), BUSHWALK, BRICKSTORM, BEEFLUSH – web shells and backdoors identified and described in the analysis