2 min

Tags in this article

, , , ,

MITRE shares more details about the modus operandi of the attackers who compromised its network earlier this year. The main focus is on how the attackers remained undetected for so long.

MITRE has gathered more information about the hack on its network. The attackers remained undetected for months, and the analysis provides more insight into how the attackers worked to make this possible.

Rogue VMs

For example, it appears that rogue virtual machines (VMs) were set up. The VMs did not appear on administrators’ radars because the attackers created and managed them directly on the hypervisor. MITRE uses the vCenter management solution to manage VMs, but the hackers got past that by creating the VMs directly on service accounts on the hypervisor.

The original point of access turned out to be a compromised admin account. That was possible by exploiting two zero-day vulnerabilities in Ivanti Connect Secure. In this way, the hackers bypassed multifactor authentication. As a result, the attackers gained access to VMware infrastructure. Yet the created VMs also did not appear on the ESXi web interface. The analysis gives the same explanation for this. MITRE indicates that special tools and techniques are needed to discover rogue VMs.

Chinese hackers

The company has additionally officially determined that the hackers are of Chinese origin. There were already suspicions about the hackers’ origin. The hackers were allegedly targeting the U.S. government, to which MITRE, as a not-for-profit organization, provides support in various areas.

Also read: MITRE discovered Chinese hack only months after exploitation