Chinese cyberespionage operation UNC5221 was disclosed by the MITRE Corporation to being behind the compromise of its Networked Experimentation, Research, and Virtualization Environment facilitated by the exploitation of Ivanti Connect Secure zero-day vulnerabilities, tracked as CVE-2023-46805 and CVE-2024-21887, The Hacker News reports.
Intrusions infiltrating MITRE's NERVE network commenced on New Year's Eve, with attackers leveraging the Ivanti zero-days to deploy the ROOTROT web shell, which eventually led to the compromise of the organization's VMware infrastructure and the distribution of the BRICKSTORM backdoor and BEEFLUSH web shell, according to a MITRE report.
Attackers then proceeded with data exfiltration efforts with the delivery of the WIREFIRE, or GIFTEDADVISOR, web shell following the public disclosure of the Ivanti bugs on Jan. 11 before leveraging the BUSHWALK web shell for NERVE data transmission to their command-and-control infrastructure a week later, said the report, which added that lateral movement efforts were also conducted between February and mid-March.
