MITRE shares lessons on VMware rogue VMs used in its own cyberattack

MITRE shared new lessons from its own cyberattack in a blog post Wednesday, describing how China state-sponsored threat actor UNC5221 used rogue virtual machines (VMs) to evade detection and establish persistence in its VMware environment.

MITRE’s Networked Experimentation, Research, and Virtualization Environment (NERVE) was compromised in January with the threat actors leveraging two Ivanti Connect Secure zero-days for initial access. The intrusion was discovered in April.

The latest blog post dives further into the tactics MITRE’s cyberattackers used to persist undetected in the organization’s VMware environment. The attackers, having already gained administrative access to the MITRE NERVE ESXi infrastructure, used the default service account VPXUSER to create several rogue VMs.

The rogue VMs remained hidden due to their creation via VPXUSER directly on the hypervisor instead of through the vCenter administrative console, the blog post explained. Accounts created this way do not appear in the vCenter inventory.

The attackers deployed a backdoor called BRICKSTORM within the rogue VMs, enabling communication with both the attacker’s command-and-control (C2) servers and administrative subnets within NERVE, MITRE said. They also deployed the JSP web shell BEEFLUSH under the vCenter Server’s Tomcat server to execute a Python-based tunneling tool that created SSH connections between the rogue VMs and ESXi hypervisors.

How to detect rogue VMs in your VMware environment

The MITRE blog concluded with recommended methods for VMware users to detect and mitigate rogue VMs and other suspicious activity.

Users should monitor their environments for unusual SSH activity, such as unexpected “SSH login enabled” and “SSH session was opened” messages, the blog stated. Administrators can manually check for unregistered VMs by using the command lines “vim-cmd vmsvc/getallvms” and “esxcli vm process list | grep Display” and comparing the vim-cmd output with the VM list from esxcli.

The blog post also provided instructions for detecting manipulation of the file “/etc/rc.local.d/local.sh” that can indicate an attacker is attempting to establish persistence. Two scripts – Invoke-HiddenVMQuery by MITRE and VirtualGHOST by CrowdStrike – can also help automatically detect anomalies in VMware environments.

Lastly, MITRE and VMware’s Product Security Incident Response Team (PSIRT) say enabling secure boot is “the most effective countermeasure to thwart the persistence mechanism.”