Technical Deep Dive: Understanding the Anatomy of a Cyber Intrusion

May 24, 2024, 2:25 p.m.

Tags
persistence
CVE-2024-21887
CVE-2023-46805
2024-05-24
threat
lateral movement
wirefire
giftedvisitor
bushwalk
intrusion
cyberattack
beeflush
rootrot
brickstorm
External References
Description

This report details a sophisticated cyber intrusion targeting MITRE's research network (NERVE) through the exploitation of Ivanti Connect Secure zero-day vulnerabilities. The threat actor, suspected to be UNC5221, initiated the attack by gaining unauthorized access and subsequently deploying various web shells and backdoors to maintain persistence. The report provides a chronological breakdown of the adversary's tactics, techniques, and procedures, including profiling the environment, manipulating virtual machines, deploying malicious payloads, and laterally moving across the network. Additionally, it offers insights into the malware employed, such as ROOTROT, WIREFIRE, BUSHWALK, BEEFLUSH, and BRICKSTORM. The report underscores the importance of proactive security measures and collaboration in addressing sophisticated cyber threats.

Date

Published: May 24, 2024, 1:52 p.m.

Created: May 24, 2024, 1:52 p.m.

Modified: May 24, 2024, 2:25 p.m.

Attack Patterns

BRICKSTORM

BUSHWALK - S1118

BEEFLUSH

WIREFIRE - S1115

ROOTROT

GIFTEDVISITOR

UNC5221

T1610

T1600

T1588

T1556

T1583

T1567

T1505

T1598

T1574

T1518

T1595

T1592

T1190