{"id":190030,"date":"2024-05-24T23:22:51","date_gmt":"2024-05-25T04:22:51","guid":{"rendered":"https:\/\/lifeboat.com\/blog\/2024\/05\/hackers-created-rogue-vms-to-evade-detection-in-recent-mitre-cyber-attack"},"modified":"2024-05-24T23:22:51","modified_gmt":"2024-05-25T04:22:51","slug":"hackers-created-rogue-vms-to-evade-detection-in-recent-mitre-cyber-attack","status":"publish","type":"post","link":"https:\/\/lifeboat.com\/blog\/2024\/05\/hackers-created-rogue-vms-to-evade-detection-in-recent-mitre-cyber-attack","title":{"rendered":"Hackers Created Rogue VMs to Evade Detection in Recent MITRE Cyber Attack"},"content":{"rendered":"<p><a class=\"aligncenter blog-photo\" href=\"https:\/\/lifeboat.com\/blog.images\/hackers-created-rogue-vms-to-evade-detection-in-recent-mitre-cyber-attack.jpg\"><\/a><\/p>\n<p>The MITRE Corporation has revealed that the cyber attack targeting the not-for-profit company towards late December 2023 by exploiting zero-day flaws in Ivanti Connect Secure (ICS) involved the actor creating rogue virtual machines (VMs) within its VMware environment.<\/p>\n<p>\u201cThe adversary created their own rogue VMs within the VMware environment, leveraging compromised vCenter Server access,\u201d MITRE researchers Lex Crumpton and Charles Clancy <a href=\"https:\/\/medium.com\/mitre-engenuity\/infiltrating-defenses-abusing-vmware-in-mitres-cyber-intrusion-4ea647b83f5b\" rel=\"noopener\" target=\"_blank\">said<\/a>.<\/p>\n<p>\u201cThey wrote and deployed a JSP web shell (BEEFLUSH) under the vCenter Server\u2019s Tomcat server to execute a Python-based tunneling tool, facilitating SSH connections between adversary-created VMs and the ESXi hypervisor infrastructure.\u201d<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The MITRE Corporation has revealed that the cyber attack targeting the not-for-profit company towards late December 2023 by exploiting zero-day flaws in Ivanti Connect Secure (ICS) involved the actor creating rogue virtual machines (VMs) within its VMware environment. \u201cThe adversary created their own rogue VMs within the VMware environment, leveraging compromised vCenter Server access,\u201d MITRE [\u2026]<\/p>\n","protected":false},"author":427,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[34],"tags":[],"class_list":["post-190030","post","type-post","status-publish","format-standard","hentry","category-cybercrime-malcode"],"_links":{"self":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/190030","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/users\/427"}],"replies":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/comments?post=190030"}],"version-history":[{"count":0,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/190030\/revisions"}],"wp:attachment":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/media?parent=190030"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/categories?post=190030"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/tags?post=190030"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}