Hidden VMs, Custom Malware: Lessons From The Stealthy MITRE Breach

Hackers Deploy Rogue VMs To Evade Detection In MITRE Attack

Published on June 3rd, 2024

A sophisticated cyber attack targeted MITRE Corporation in late 2023. The attackers exploited zero-day vulnerabilities, created hidden virtual machines, and deployed custom malware to gain persistent access and steal data. This highlights the need for robust defenses against evolving cyber threats.

This sophisticated cyberattack leveraged zero-day vulnerabilities and rogue VMs to establish persistent access within the MITRE Corporation’s network.

Abusing Virtualization: The Rise Of Rogue VMs

In a recent cyberattack targeting the MITRE Corporation, attackers exploited weaknesses in Ivanti Connect Secure (ICS) to gain access.

However, the intrusion went beyond the initial breach. To maintain a persistent presence and evade detection, the attackers created unauthorized virtual machines (VMs) within the compromised VMware environment.

These “rogue VMs” operate outside the standard management processes, bypassing security protocols and traditional visibility tools.

This makes them highly dangerous, allowing attackers to maintain a foothold within the network and conduct malicious activities undetected.

Unveiling The Attack Strategy

The attackers achieved their goals through a multi-step process:

  1. Exploiting Zero-Day Vulnerabilities: They leveraged two undisclosed vulnerabilities (CVE-2023-46805 and CVE-2024-21887) in Ivanti Connect Secure to breach the network.
  2. Gaining Privileged Access: Bypassing multi-factor authentication, they obtained a compromised administrator account, granting them control over the VMware infrastructure.
  3. Deploying Rogue VMs and Web Shells: Leveraging their privileged access, the attackers created rogue VMs within the VMware environment. To maintain communication channels, they deployed a JSP web shell (BEEFLUSH) and a Golang-based backdoor (BRICKSTORM) within the rogue VMs.
  4. Maintaining Persistence: The attackers employed various techniques to solidify their presence. This included using another web shell (BUSHWALK) for command execution and a default VMware account (VPXUSER) to gather information about mounted drives.

Combating Rogue VMs And Securing Your Environment

Mitigating the risks associated with rogue VMs requires a multi-pronged approach:

  • Enable Secure Boot: This feature verifies the integrity of the boot process, preventing unauthorized modifications and potentially stopping rogue VMs from launching.
  • Utilize Detection Tools: Standard security measures might not suffice. Specialized tools are needed to identify and eliminate rogue VMs effectively.
  • Maintain Vigilance: The ever-evolving threat landscape necessitates constant monitoring and adaptation of security strategies.

By implementing these measures, organizations can significantly reduce the risk of rogue VMs being deployed within their virtualized environments.


1. What are the advantages of using rogue VMs in cyberattacks?

A: Rogue VMs offer attackers several advantages:

  • Evasion of Detection: They bypass traditional security measures designed to monitor authorized VMs.
  • Persistence: Rogue VMs provide a foothold within the network, allowing attackers to maintain long-term access.
  • Lateral Movement: They can be used as a jumping-off point to move laterally across the network and compromise other systems.

2. How can organizations prevent rogue VMs?

AImplement strong access controls: Enforce multi-factor authentication and the principle of least privilege to limit access to critical systems.

  • Regularly monitor and audit virtual environments: Utilize security tools designed to detect unauthorized VMs.
  • Patch vulnerabilities promptly: Address software vulnerabilities in a timely manner to eliminate potential entry points for attackers.

3. What are some additional steps to take after a suspected rogue VM attack?

AIsolate compromised systems: Prevent the rogue VMs from spreading laterally and causing further damage.

  • Investigate the attack: Determine the scope of the breach and identify the attackers’ goals.
  • Remediate vulnerabilities: Patch exploited vulnerabilities and implement additional security measures to prevent future attacks.