China-Linked Hackers Used ROOTROT Webshell in MITRE Network Intrusion

MITRE Corporation has provided more details regarding the recently disclosed cyber attack on MITRE’s Networked Experimentation, Research, and Virtualization Environment (NERVE). This attack exploited two Ivanti Connect Secure zero-day vulnerabilities tracked as CVE-2023–46805 and CVE-2024–21887. Although initially MITRE only observed reconnaissance and persistence of its networks starting in January 2024, new research shows that the earliest signs of compromise were in late December 2023.

After gaining initial access by deploying a Perl-based web shell called ROOTROT on an external-facing Ivanti appliance, the adversary employed a combination of backdoors and web shells to harvest victim credentials and maintain persistence in the research network. Cybersecurity firm Mandiant states ROOTROT is embedded into a legitimate Connect Secure .ttc file located at "/data/runtime/tmp/tt/setcookie.thtml.ttc" and suggests with confidence this is the handiwork of a China-nexus cyber espionage cluster dubbed UNC5221, which is also linked to other web shells such as BUSHWALK, CHAINLINE, FRAMESTING, and LIGHTWIRE. The attacker performed reconnaissance in the NERVE environment then established C2 communication with ESXi hosts. The nation-state actor then deployed a Golang backdoor to maintain persistent access and three web shells known as BEEFLUSH, WIREFIRE, and BUSHWALK. The adversary utilized BUSHWALK to transmit data from the NERVE network using a C2 server.

“To make progress on these activities, MITRE Engenuity’s Center for Threat-Informed Defense will convene a summer series of research roundtables with its members to discuss these topics, and identify collaborative paths forward toward implementation and execution” (Technical Deep Dive: Understanding the Anatomy of a Cyber Intrusion, MITRE).

Security Officer Comments:
The nation-state actor made an unsuccessful attempt at lateral movement in more critical MITRE systems by executing a ping command for one of their corporate domain controllers and maintained persistence in the network from February to mid-March. This attack underscores the difficulty of defending against the copious resources ever-improving tools that nation-state adversaries can utilize to perform targeted and sophisticated cyberattacks. Nation-wide collaboration and regulation can be difficult in a freedom-focused country like the US, but it may be the most effective solution to better secure US organizations from foreign cyberattacks.

Suggested Corrections:
Associated IOCs are available in Appendix 1 of MITRE’s second blog post about this incident.

MITRE lists specific areas where US organizations need to collectively make progress in order to defend and deter determined nation-state threat actors:

  • Advance the National Cybersecurity Strategy and CISA’s Secure by Design philosophy to make software and hardware products more secure out of the box.
  • Operationalize Software Bill of Materials to improve software supply chain integrity and the speed with which we can respond to upstream software vulnerabilities in products.
  • Broadly deploy zero trust architectures with robust multi-factor authentication and micro-segmentation.
  • Expand multi-factor authentication beyond simply two-factor systems to include continuous authentication and remote attestation of endpoints.
  • Broaden industry adoption of adversary engagement as a routine tool for not only detecting compromise but also deterring them.