The company described how cybercriminals from China are introducing ghost virtual machines.
MITRE Corporation reported a cyberattack on their non-profit organization in late December 2023. Attackers exploited zero-day vulnerabilities in Ivanti Connect Secure (ICS) to create fake VMware virtual machines.
Attackers gained access to the vCenter server and created their own virtual machines in the VMware environment. Hackers implemented a JSP web wrapper (BEEFLUSH) on the vCenter Server Tomcat server to run a Python-based tunneling tool, which allowed cybercriminals to establish SSH connections between the created VMs and the ESXi hypervisor infrastructure.
The purpose of the attack was to hide their actions from the centralized management interface (vCenter) and maintain constant access, minimizing the risk of detection. Details of the attack emerged back in April, when MITRE determined that the Chinese group UNC5221 was behind the attack, which penetrated the NERVE research environment using two ICS vulnerabilities ( CVE-2023-46805 and CVE-2024-21887).
After bypassing multi-factor authentication and gaining initial access, the attackers advanced through the network, using a compromised administrator account to control the VMware infrastructure. Hackers deployed several backdoors and web shells to preserve access and steal credentials. Among them was a backdoor in the Go language codenamed BRICKSTORM, as well as the BEEFLUSH and BUSHWALK web shells, which allowed executing arbitrary commands and communicating with management servers.
The attackers also used a standard VMware account, VPXUSER, to perform seven API requests to list the list of connected and disconnected disks.
Experts explain that fake VMs operate outside of standard management processes and do not comply with established security policies, which makes them difficult to detect and difficult to manage through a graphical interface. Special tools or methods are needed to identify and eliminate the risks associated with such machines.
One of the most effective measures to counter covert attempts by attackers is to enable secure boot, which prevents unauthorized changes by checking the integrity of the boot process. The company also provided two PowerShell scripts [ 1 and 2] to identify and eliminate potential threats in the VMware environment.
MITRE Corporation reported a cyberattack on their non-profit organization in late December 2023. Attackers exploited zero-day vulnerabilities in Ivanti Connect Secure (ICS) to create fake VMware virtual machines.
Attackers gained access to the vCenter server and created their own virtual machines in the VMware environment. Hackers implemented a JSP web wrapper (BEEFLUSH) on the vCenter Server Tomcat server to run a Python-based tunneling tool, which allowed cybercriminals to establish SSH connections between the created VMs and the ESXi hypervisor infrastructure.
The purpose of the attack was to hide their actions from the centralized management interface (vCenter) and maintain constant access, minimizing the risk of detection. Details of the attack emerged back in April, when MITRE determined that the Chinese group UNC5221 was behind the attack, which penetrated the NERVE research environment using two ICS vulnerabilities ( CVE-2023-46805 and CVE-2024-21887).
After bypassing multi-factor authentication and gaining initial access, the attackers advanced through the network, using a compromised administrator account to control the VMware infrastructure. Hackers deployed several backdoors and web shells to preserve access and steal credentials. Among them was a backdoor in the Go language codenamed BRICKSTORM, as well as the BEEFLUSH and BUSHWALK web shells, which allowed executing arbitrary commands and communicating with management servers.
The attackers also used a standard VMware account, VPXUSER, to perform seven API requests to list the list of connected and disconnected disks.
Experts explain that fake VMs operate outside of standard management processes and do not comply with established security policies, which makes them difficult to detect and difficult to manage through a graphical interface. Special tools or methods are needed to identify and eliminate the risks associated with such machines.
One of the most effective measures to counter covert attempts by attackers is to enable secure boot, which prevents unauthorized changes by checking the integrity of the boot process. The company also provided two PowerShell scripts [ 1 and 2] to identify and eliminate potential threats in the VMware environment.
