MITRE breach details reveal attackers’ successes and failures

MITRE has shared a timeline of the recent breach if fell victim to and has confirmed that it began earlier than previously thought: on December 31, 2023.

On that day, the attackers deployed a web shell on an external-facing Ivanti Connect Secure VPN appliance by exploiting CVE-2023–46805 and CVE-2024–21887, two zero days whose existence became publicly known in early January, when patches were still unavailable.

Tools and techniques used to breach MITRE

The attackers leveraged the Ivanti zero-days to gain access to the organization’s research and prototyping network, from which they performed additional reconnaissance, moved into its VMware environment and exfitrated data.

They used compromised administrative account credentials, web shells and backdoors to maintain persistent access and communicate with the command-and-control infrastructure, the organization’s principal cybersecurity engineer Lex Crumpton and CTO Charles Clancy shared.

Some of the web shells used have previously been documented by Volexity and Mandiant, and are believed to be wielded by a Chinese threat actor.

“UNC5221 is a suspected China-nexus actor that Mandiant is tracking as the only group exploiting CVE-2023-46805 and CVE-2024-21887 during the pre-disclosure time frame since early Dec. 2023,” Mandiant analysts noted in early April.

(MITRE does not say that UNC5221 is behind the attack, only that “indicators observed during the incident overlap with those described in the Mandiant threat intelligence report on UNC5221.)

One of the web shells (“BEEFLUSH”) used by that attackers has been spotted for the first time.

The exfiltration of compromised data began on January 19 and the attackers tried (and failed) to pivot to other resources outside the VMware environment throughout February and March.

MITRE has promised to shared additional details on the adversary’s persistence techniques next week, when they will also provide tools for detection.