Technical Deep Dive: Understanding the Anatomy of a Cyber Intrusion

May 24, 2024, 2:25 p.m.

Description

This report details a sophisticated cyber intrusion targeting MITRE's research network (NERVE) through the exploitation of Ivanti Connect Secure zero-day vulnerabilities. The threat actor, suspected to be UNC5221, initiated the attack by gaining unauthorized access and subsequently deploying various web shells and backdoors to maintain persistence. The report provides a chronological breakdown of the adversary's tactics, techniques, and procedures, including profiling the environment, manipulating virtual machines, deploying malicious payloads, and laterally moving across the network. Additionally, it offers insights into the malware employed, such as ROOTROT, WIREFIRE, BUSHWALK, BEEFLUSH, and BRICKSTORM. The report underscores the importance of proactive security measures and collaboration in addressing sophisticated cyber threats.

External References

https://medium.com/mitre-engenuity/technical-deep-dive-understanding-the-anatomy-of-a-cyber-intrusion-080bddc679f3
https://otx.alienvault.com/pulse/66509bb0d6e1c9e7a5e031e3
Tags
persistence
CVE-2024-21887
CVE-2023-46805
2024-05-24
threat
lateral movement
wirefire
giftedvisitor
bushwalk
intrusion
cyberattack
beeflush
rootrot
brickstorm

Date

  • Created: May 24, 2024, 1:52 p.m.
  • Published: May 24, 2024, 1:52 p.m.
  • Modified: May 24, 2024, 2:25 p.m.

Indicators

  • cvedev.morsag3ah.workers.dev
  • log.morsag3ah.workers.de
  • update.morsag3ah.workers.dev
  • morsag3ah.workers.dev
Download all indicators here!

Attack Patterns

  • BRICKSTORM
  • BUSHWALK - S1118
  • BEEFLUSH
  • WIREFIRE - S1115
  • ROOTROT
  • GIFTEDVISITOR
  • UNC5221