China-Linked Hackers Used ROOTROT Webshell in MITRE Network Intrusion

The MITRE Corporation has offered more details into the recently disclosed cyber attack, stating that the first evidence of the intrusion now dates back to December 31, 2023.

The attack, which came to light last month, singled out MITRE’s Networked Experimentation, Research, and Virtualization Environment (NERVE) through the exploitation of two Ivanti Connect Secure zero-day vulnerabilities tracked as CVE-2023–46805 and CVE-2024–21887, respectively.

“The adversary maneuvered within the research network via VMware infrastructure using a compromised administrator account, then employed a combination of backdoors and web shells to maintain persistence and harvest credentials,” MITRE said.

While the organization had previously disclosed that the attackers performed reconnaissance of its networks starting in January 2024, the latest technical deep dive puts the earliest signs of compromise in late December 2023, with the adversary dropping a Perl-based web shell called ROOTROT for initial access.

ROOTROT, per Google-owned Mandiant, is embedded into a legitimate Connect Secure .ttc file located at “/data/runtime/tmp/tt/setcookie.thtml.ttc” and is the handiwork of a China-nexus cyber espionage cluster dubbed UNC5221, which is also linked to other web shells such as BUSHWALK, CHAINLINE, FRAMESTING, and LIGHTWIRE.

Following the web shell deployment, the threat actor profiled the NERVE environment and established communication with multiple ESXi hosts, ultimately establishing control over MITRE’s VMware infrastructure and dropping a Golang backdoor called BRICKSTORM and a previously undocumented web shell referred to as BEEFLUSH.

“These actions established persistent access and allowed the adversary to execute arbitrary commands and communicate with command-and-control servers,” MITRE researcher Lex Crumpton explained. “The adversary utilized techniques such as SSH manipulation and execution of suspicious scripts to maintain control over the compromised systems.”

Further analysis has determined that the threat actor also deployed another web shell known as WIREFIRE (aka GIFTEDVISITOR) a day after the public disclosure of the twin flaws on January 11, 2024, to facilitate covert communication and data exfiltration.

Besides using the BUSHWALK web shell for transmitting data from the NERVE network to command-and-control infrastructure on January 19, 2024, the adversary is said to have attempted lateral movement and maintained persistence within NERVE from February to mid-March.

“The adversary executed a ping command for one of MITRE’s corporate domain controllers and attempted to move laterally into MITRE systems but was unsuccessful,” Crumpton said.