This is the second blog post in a series, sharing MITRE’s experiences detecting and responding to a nation-state cyber threat actor incident in our research and experimentation network, NERVE. It follows our April 19, 2024 posting, “Advanced Cyber Threats Impact Even the Most Prepared”.
这是该系列的第二篇博文，分享了 MITRE 在我们的研究和实验网络 NERVE 中检测和响应民族国家网络威胁行为者事件的经验。在此之前，我们于 2024 年 4 月 19 日发布了“高级网络威胁甚至影响最有准备的人”。

In this post, we take a deep dive into the technical details of the intrusion, including timeline and how to potentially detect this type of activity in your own environment. This blog focuses on a thorough accounting of the threat actor’s tactics, techniques, and procedures.
在这篇文章中，我们将深入探讨入侵的技术细节，包括时间线以及如何在您自己的环境中潜在地检测此类活动。本博客重点介绍威胁参与者的策略、技术和程序。

In the ever-evolving landscape of cybersecurity, understanding the intricacies of a cyber intrusion is paramount for organizations seeking to fortify their defenses. This knowledge is the foundation of a threat-informed defense.
在不断发展的网络安全环境中，了解网络入侵的复杂性对于寻求加强防御的组织至关重要。这些知识是威胁知情防御的基础。

The indicators observed during the incident overlap with those described in the Mandiant threat intelligence report on UNC5221, a “China-nexus espionage threat actor”. In this blog post, we have provided the associated Indicators of Compromise in Appendix 1 and a short blurb on the Malware Analysis.
事件中观察到的指标与Mandiant威胁情报报告中描述的指标重叠，该报告涉及“中国-关系间谍威胁行为者”UNC5221。在这篇博文中，我们在附录 1 中提供了相关的入侵指标，并简要介绍了恶意软件分析。

Additionally, our blog post includes novel aspects not previously reported in Mandiant or other threat intelligence, including:
此外，我们的博客文章还包括 Mandiant 或其他威胁情报中以前未报告的新方面，包括：

• Details on the BEEFLUSH web shell, which was not identified in prior reporting; and
  关于BEEFLUSH网络外壳的细节，在之前的报告中没有发现;和
• Unique components of the BUSHWALK web shell seen in our incident.
  在我们的事件中看到的 BUSHWALK 网络外壳的独特组件。

Our next blog post is targeted for the week of May 12, 2024, and will include additional details on the adversary’s novel persistence techniques within our VMware infrastructure and provide tools for detection.
我们的下一篇博文定于 2024 年 5 月 12 日这一周发布，将包括有关攻击者在我们的 VMware 基础架构中的新型持久性技术的更多详细信息，并提供检测工具。

1 Recap from Part One
1 第一部分回顾

In our previous blog post, we shared the experience of facing a sophisticated cyber intrusion that targeted MITRE’s Networked Experimentation, Research, and Virtualization Environment (NERVE) through two Ivanti Connect Secure zero-day vulnerabilities that bypassed our multi-factor authentication. The adversary maneuvered within the research network via VMware infrastructure using a compromised administrator account, then employed a combination of backdoors and web shells to maintain persistence and harvest credentials.
在之前的博客文章中，我们分享了面对复杂网络入侵的经验，该入侵通过两个绕过多因素身份验证的 Ivanti Connect Secure 零日漏洞针对 MITRE 的网络实验、研究和虚拟化环境 （NERVE）。攻击者使用受损的管理员帐户通过 VMware 基础架构在研究网络内进行操纵，然后结合使用后门和 Web shell 来保持持久性和收集凭据。

2 Attack Scenario 2 攻击场景

The information described in this section represents adversary activities around which we have high confidence through our ongoing forensic investigation. As that investigation continues, we expect subsequent blog posts will share further detail.
本节中描述的信息代表了对手的活动，我们通过正在进行的取证调查对这些活动有很高的信心。随着调查的继续，我们预计后续的博客文章将分享更多细节。

UPDATE: In addition description below, we have also included an Attack Flow for a visual representation of the attack scenario.
更新：除了下面的描述之外，我们还包含了一个攻击流，用于可视化地表示攻击场景。

2.1 December 31, 2023: First Evidence of Intrusion
2.1 2023 年 12 月 31 日：入侵的第一个证据

The adversary deployed the ROOTROT web shell (as described by Mandiant) on an external-facing Ivanti appliance, gaining initial access to NERVE, a MITRE prototyping network. This early intrusion leveraged multiple Ivanti Connect Secure zero-day vulnerabilities (CVE-2023–46805 and CVE-2024–21887) for unauthorized access before the initial disclosure of vulnerabilities on January 10th and before patches were available. By leveraging this access point, the adversary infiltrated the NERVE network, circumventing multi-factor authentication, and established a foothold for subsequent activities. The subsequent hijacking of sessions and utilization of RDP over HTML5 capabilities allowed the adversary to establish connections to systems within the NERVE.
攻击者在面向外部的 Ivanti 设备上部署了 ROOTROT Web Shell（如 Mandiant 所述），从而获得了对 MITRE 原型设计网络 NERVE 的初始访问权限。这种早期入侵利用了多个 Ivanti Connect Secure 零日漏洞（CVE-2023–46805 和 CVE-2024–21887），在 1 月 10 日漏洞首次披露之前和补丁可用之前进行未经授权的访问。通过利用该接入点，攻击者渗透到NERVE网络，绕过多因素身份验证，并为后续活动建立立足点。随后对会话的劫持和对 RDP over HTML5 功能的使用使攻击者能够与 NERVE 中的系统建立连接。

Initial access is a crucial step in the cyber kill chain, allowing adversaries to infiltrate target networks. By exploiting zero-day vulnerabilities, adversaries can bypass security measures and gain early access, providing them with the opportunity to conduct discovery and lay the groundwork for further exploitation.
初始访问是网络杀伤链中的关键步骤，允许对手渗透到目标网络。通过利用零日漏洞，攻击者可以绕过安全措施并获得早期访问权限，从而为他们提供进行发现并为进一步利用奠定基础的机会。

2.2 January 4, 2024: Adversary profiles environment
2.2 2024 年 1 月 4 日：对手配置文件环境

The adversary profiled MITRE’s NERVE environment, interacting with vCenter from the compromised Ivanti appliance, establishing communication with multiple ESXi hosts. Subsequently, they successfully logged into several accounts within the NERVE via RDP, leveraging hijacked credentials to access user bookmarks and file shares to gain insights into the network architecture.
攻击者分析了 MITRE 的 NERVE 环境，从受感染的 Ivanti 设备与 vCenter 进行交互，并与多个 ESXi 主机建立通信。随后，他们通过 RDP 成功登录了 NERVE 中的多个帐户，利用劫持的凭据访问用户书签和文件共享，以深入了解网络架构。

Post-exploitation discovery is essential for adversaries to gather knowledge about the system, identify vulnerabilities, and plan subsequent actions. By profiling the environment and harvesting credentials, adversaries can understand the network’s layout and potential security weaknesses, enabling them to maximize the effectiveness of their attacks. This discovery activity, culminating in document exfiltration, aimed to map the network topology and identify high-value targets for future exploitation.
利用后发现对于攻击者收集有关系统的知识、识别漏洞和计划后续操作至关重要。通过分析环境和收集凭据，攻击者可以了解网络的布局和潜在的安全漏洞，使他们能够最大限度地提高攻击的有效性。这种发现活动以文档泄露告终，旨在绘制网络拓扑图并确定高价值目标以供将来利用。

2.3 January 5, 2024: VM Manipulation and Infrastructure Control
2.3 2024 年 1 月 5 日：虚拟机操作和基础架构控制

The adversary manipulated VMs and established control over the infrastructure. The adversary used compromised administrative credentials, authenticated from an internal NERVE IP address, indicating lateral movement within the NERVE. They attempted to enable SSH and attempted to destroy one of their own VMs as well as POSTed to /ui/list/export and downloaded a file demonstrating a sophisticated attempt to conceal their presence and maintain persistence within the network.
攻击者操纵了虚拟机并建立了对基础结构的控制。攻击者使用泄露的管理凭据，从内部 NERVE IP 地址进行身份验证，表明 NERVE 内的横向移动。他们试图启用 SSH，并试图销毁他们自己的一个虚拟机，并 POST 到 /ui/list/export，并下载了一个文件，展示了隐藏其存在并在网络中保持持久性的复杂尝试。

Manipulating VMs and infrastructure allows adversaries to create backdoors, conceal their activities, and establish redundant communication channels. By cloning and destroying VMs, adversaries can evade detection and maintain access to critical systems.
操纵虚拟机和基础结构允许攻击者创建后门、隐藏其活动并建立冗余通信通道。通过克隆和销毁 VM，攻击者可以逃避检测并保持对关键系统的访问。

2.4 January 7, 2024: Exploitation and Payload Deployment
2.4 2024 年 1 月 7 日：利用和有效负载部署

The adversary accessed VMs and deployed malicious payloads, including the BRICKSTORM backdoor and a web shell MITRE called BEEFLUSH. These actions established persistent access and allowed the adversary to execute arbitrary commands and communicate with command-and-control servers. The adversary utilized techniques such as SSH manipulation and execution of suspicious scripts to maintain control over the compromised systems.
攻击者访问了虚拟机并部署了恶意负载，包括 BRICKSTORM 后门和名为 BEEFLUSH 的 Web shell MITRE。这些操作建立了持久访问，并允许对手执行任意命令并与命令和控制服务器进行通信。攻击者利用 SSH 操作和执行可疑脚本等技术来保持对受感染系统的控制。

A VMware default account vpxuser, used VMware vSphere Management API pyvmomi, made seven API calls that enumerated a list of mounted and unmounted drives. The adversary pivoted back to the admin account and created three new VMs, all conforming to the local naming convention, and successfully logged into them from an internal IP address. One of these VMs was deleted on the same day.
使用 VMware vSphere 管理 API pyvmomi 的 VMware 默认帐户 vpxuser 进行了 7 次 API 调用，枚举了已装载和未装载驱动器的列表。攻击者透视回管理员帐户，并创建了三个新 VM，所有 VM 都符合本地命名约定，并成功从内部 IP 地址登录到它们。其中一个 VM 在同一天被删除。

BRICKSTORM was found in VMs in the /mnt/cpt directory named tmpd and in the /bin directory named httpd (/mnt/cpt/tmpd and /bin/httpd). Both versions were given local persistence mechanisms. /mnt/cpt/tmpd was given both /etc/rc.local and /etc/init.d/urandom_seed while /bin/httpd was given /etc/init.d/urandom_seed persistence method. BRICKSTORM communicated with the C2 domains seen in Appendix 1.
在名为 tmpd 的 /mnt/cpt 目录和名为 httpd 的 /bin 目录（/mnt/cpt/tmpd 和 /bin/httpd）的 VM 中找到 BRICKSTORM。这两个版本都具有本地持久性机制。/mnt/cpt/tmpd 同时被赋予了 /etc/rc.local 和 /etc/init.d/urandom_seed而 /bin/httpd 被赋予了 /etc/init.d/urandom_seed 持久性方法。BRICKSTORM 与附录 1 中的 C2 域进行通信。

BEEFLUSH, /idm/..;/resources/css/defaultb.jsp, communicated with several internal IP addresses making POST requests. While in the vCenter server, the adversary executed suspicious Python scripts and /bin/sh commands from the /tmp directory.
BEEFLUSH，/idm/..;/resources/css/defaultb.jsp，与多个内部 IP 地址进行通信，发出 POST 请求。在 vCenter Server 中，攻击者从 /tmp 目录执行了可疑的 Python 脚本和 /bin/sh 命令。

Exploiting VMs and deploying payloads allows adversaries to maintain persistent access, exfiltrate data, and execute commands remotely. By uploading backdoors and web shells, adversaries can establish covert communication channels and evade detection by blending in with legitimate network traffic.
利用 VM 和部署有效负载，攻击者可以远程维护持久访问、泄露数据和执行命令。通过上传后门和 Web Shell，攻击者可以建立隐蔽的通信渠道，并通过混入合法网络流量来逃避检测。

2.5 January 10, 2024: Vulnerability Disclosure and Response
2.5 2024 年 1 月 10 日：漏洞披露和响应

The zero-day vulnerabilities were publicly disclosed via Ivanti Advisory.
零日漏洞已通过 Ivanti Advisory 公开披露。

As with many such public disclosures, this advisory prompted organizations to respond and patch affected systems. This event underscores the importance of timely vulnerability management and proactive security measures to mitigate the risk of exploitation by adversaries.
与许多此类公开披露一样，此公告促使组织做出响应并修补受影响的系统。这一事件凸显了及时进行漏洞管理和采取主动安全措施以降低被攻击者利用的风险的重要性。

2.6 January 11, 2024: Exfiltration Preparation and Web shell Deployment
2.6 2024 年 1 月 11 日：外泄准备和 Web shell 部署

According to an analysis of system memory the adversary used the Ivanti help website as a staging area for data exfiltration. They made requests to /dana-na/help/ on the Ivanti appliance, where a base64 encoded logo.gif file was an exact copy of a log file on the system which the adversary exfiltrated.
根据对系统内存的分析，攻击者使用 Ivanti 帮助网站作为数据泄露的暂存区域。他们向 Ivanti 设备上的 /dana-na/help/ 发出请求，其中 base64 编码的 logo.gif 文件是攻击者泄露的系统上日志文件的精确副本。

The adversary uploaded a Python script, visits.py, that contained the WIREFIRE (aka GIFTEDVISITOR) web shell on the Ivanti appliance within the /home/venv3/lib/Python3.6/site-packages/cav-0.1-py3.6.egg archive file.
攻击者上传了一个 Python 脚本 visits.py，该脚本在 /home/venv3/lib/Python3.6/site-packages/cav-0.1-py3.6.egg 存档文件中包含 Ivanti 设备上的 WIREFIRE（又名 GIFTEDVISITOR）Web shell。

The deployment of web shells facilitates covert communication and data exfiltration, enabling the adversary to steal valuable information.
Web Shell 的部署有助于隐蔽通信和数据泄露，使攻击者能够窃取有价值的信息。

2.7 January 12, 2024: New Published Advisories
2.7 2024 年 1 月 12 日：新发布的公告

New advisories were published by CISA and Mandiant.
CISA 和 Mandiant 发布了新的公告。

2.8 January 19, 2024: Exfiltration of Compromised Data
2.8 2024 年 1 月 19 日：泄露数据

The adversary exfiltrated data from the NERVE using command-and-control infrastructure. An external IP address, 172.75.64[.]253, made network traffic requests to the BUSHWALK web shell, /dana-na/jam/querymanifest.cgi.
攻击者使用命令和控制基础设施从 NERVE 泄露数据。外部 IP 地址 172.75.64[.]253，向 BUSHWALK Web shell /dana-na/jam/querymanifest.cgi 发出网络流量请求。

2.9 Mid-February through mid-March — Lateral Movement & File Access
2.9 2 月中旬到 3 月中旬 — 横向移动和文件访问

From February to mid-March, the adversary attempted lateral movement and maintained persistence within the NERVE. Despite unsuccessful attempts to pivot to other resources, the adversary persisted in accessing other virtual environments within vCenter.
从 2 月到 3 月中旬，对手尝试横向移动并在 NERVE 内保持持久性。尽管尝试转向其他资源未成功，但攻击者仍坚持访问 vCenter 中的其他虚拟环境。

The adversary executed a ping command for one of MITRE’s corporate domain controllers and attempted to move laterally into MITRE systems but was unsuccessful.
攻击者对 MITRE 的一个公司域控制器执行了 ping 命令，并试图横向移动到 MITRE 系统，但没有成功。

Lateral movement and persistence enable adversaries to expand their foothold within target networks and escalate privileges to access critical resources. By persisting in their activities despite initial setbacks, adversaries can increase the likelihood of achieving their objectives over time.
横向移动和持久性使攻击者能够扩大其在目标网络中的立足点，并升级访问关键资源的权限。尽管最初遭遇挫折，但通过坚持他们的活动，对手可以随着时间的推移增加实现其目标的可能性。

3 Malware Analysis 3 恶意软件分析

For the previously mentioned web shells, the MD5, SHA1, and SHA256 hashes, and file sizes are provided below.
对于前面提到的 Web shell，下面提供了 MD5、SHA1 和 SHA256 哈希值以及文件大小。

3.1 ROOTROT Web shell

Google-owned Mandiant stated, “ROOTROT Web shell is written in Perl and is embedded into a legitimate Connect Secure .ttc file.” It allowed the adversary to pass Base64-encoded commands via the web interface, and have them parsed, and executed with eval. This web shell on the Connect Secure appliance provided the reconnaissance and lateral movement components.
谷歌旗下的Mandiant表示，“ROOTROT Web shell是用Perl编写的，并嵌入到合法的Connect Secure .ttc文件中。它允许攻击者通过 Web 界面传递 Base64 编码的命令，并对其进行解析，并使用 eval 执行。Connect Secure 设备上的此 Web shell 提供了侦测和横向移动组件。

3.2 WIREFIRE aka GIFTEDVISITOR
3.2 WIREFIRE又名GIFTEDVISITOR

WIREFIRE is a web shell written in Python that supports uploading files to the compromised device and executing arbitrary commands. During the intrusion, the adversary used WIREFIRE to look at the body of an HTTP Request for the “GIF” delimiter, open the body request, execute the command, and write it to a pipe for base64 encoding, AES encryption, and zlib compression with math magic and null padding.
WIREFIRE 是一个用 Python 编写的 Web Shell，支持将文件上传到受感染的设备并执行任意命令。在入侵期间，攻击者使用 WIREFIRE 查看 HTTP 请求的正文以获取“GIF”分隔符，打开正文请求，执行命令，并将其写入管道，用于 base64 编码、AES 加密和带有数学魔术和 null 填充的 zlib 压缩。

3.3 BUSHWALK Web Shell 3.3 BUSHWALK网页外壳

BUSHWALK, also tied to UNC5221 according to Google-owned Mandiant, is written in Perl. This file offered the ability to read and write files to a server. Something to note, the version observed in MITRE’s intrusion differs from the Mandiant report, with a different ValidateVersion subroutine and a new exportData subroutine.
根据谷歌旗下的Mandiant的说法，BUSHWALK也与UNC5221联系在一起，它是用Perl编写的。此文件提供了向服务器读取和写入文件的能力。需要注意的是，在 MITRE 入侵中观察到的版本与 Mandiant 报告不同，具有不同的 ValidateVersion 子例程和新的 exportData 子例程。

3.4 BEEFLUSH Web shell 3.4 BEEFLUSH Web 外壳

BEEFLUSH is a web shell that reads in data from web traffic, specifically the Fushd parameter using Java. It will decode the data and concatenate it with a standard output stream redirector for /bin/sh. Once the c2 command is executed, BEEFLUSH reads the input stream and base64 encodes the message before writing it back out again.
BEEFLUSH 是一个 Web Shell，它从 Web 流量中读取数据，特别是使用 Java 的 Fushd 参数。它将对数据进行解码，并将其与 /bin/sh 的标准输出流重定向器连接起来。执行 c2 命令后，BEEFLUSH 读取输入流，base64 对消息进行编码，然后再次写回。

3.5 BRICKSTORM Backdoor 3.5 BRICKSTORM后门

BRICKSTORM is a Golang backdoor targeting VMware vCenter servers. It supports the ability to set itself up as a web server, perform file system and directory manipulation, perform file operations such as upload/download, run shell commands, and perform SOCKS relaying. This backdoor communicates over WebSockets to a hard-coded C2. MITRE found two versions on our compromised network.
BRICKSTORM 是针对 VMware vCenter 服务器的 Golang 后门程序。它支持将自身设置为 Web 服务器、执行文件系统和目录操作、执行文件操作（如上传/下载）、运行 shell 命令以及执行 SOCKS 中继的能力。此后门通过 WebSocket 与硬编码的 C2 进行通信。MITRE 在我们受感染的网络上发现了两个版本。

4 Call to Action 4 号召性用语

In our first blog post, we listed a number of specific areas where we need to collectively make progress in order to defend and deter determined nation-state threat actors:
在我们的第一篇博文中，我们列出了一些我们需要共同取得进展的具体领域，以捍卫和威慑坚定的民族国家威胁行为者：

• Advance the National Cybersecurity Strategy and CISA’s Secure by Design philosophy to make software and hardware products more secure out of the box.
  推进国家网络安全战略和 CISA 的安全设计理念，使软件和硬件产品开箱即用更加安全。
• Operationalize Software Bill of Materials to improve software supply chain integrity and the speed with which we can respond to upstream software vulnerabilities in products.
  实施软件物料清单，以提高软件供应链的完整性和响应产品中上游软件漏洞的速度。
• Broadly deploy zero trust architectures with robust multi-factor authentication and micro-segmentation.
  广泛部署具有强大多因素身份验证和微分段的零信任架构。
• Expand multi-factor authentication beyond simply two-factor systems to include continuous authentication and remote attestation of endpoints.
  将多因素身份验证扩展到简单的双因素系统之外，包括连续身份验证和端点的远程证明。
• Broaden industry adoption of adversary engagement as a routine tool for not only detecting compromise but also deterring them.
  扩大行业对对手参与的采用，将其作为检测入侵和威慑入侵的常规工具。

To make progress on these activities, MITRE Engenuity’s Center for Threat-Informed Defense will convene a summer series of research roundtables with its members to discuss these topics, and identify collaborative paths forward toward implementation and execution.
为了在这些活动上取得进展，MITRE Engenuity 的威胁知情防御中心将与其成员召开一系列夏季研究圆桌会议，讨论这些主题，并确定实施和执行的协作路径。

5 About the Center for Threat-Informed Defense
5 关于威胁知情防御中心

The Center for Threat-Informed Defense is a non-profit, privately funded research and development organization operated by MITRE Engenuity. The Center’s mission is to advance the state of the art and the state of the practice in threat-informed defense globally. Comprised of participant organizations from around the globe with highly sophisticated security teams, the Center builds on MITRE ATT&CK, an important foundation for threat-informed defense used by security teams and vendors in their enterprise security operations. Because the Center operates for the public good, outputs of its research and development are available publicly and for the benefit of all.
威胁知情防御中心是由 MITRE Engenuity 运营的非营利性私人资助的研发组织。该中心的使命是在全球范围内推进威胁知情防御的最新技术和实践。该中心由来自全球的参与组织组成，拥有高度复杂的安全团队，以 MITRE ATT&CK 为基础，MITRE ATT&CK 是安全团队和供应商在其企业安全运营中使用的威胁知情防御的重要基础。由于该中心为公共利益而运作，其研究和开发的成果是公开的，并造福所有人。

© 2024 MITRE Engenuity, LLC. Approved for Public Release. Document number CT0114.
© 2024 MITRE Engenuity， LLC. 获准公开发布。文档编号 CT0114。