For Years, Windows Has Been the Target of MITRE Hackers' Backdoor

New versions of the BrickStorm backdoor, which played a role in a major hack on MITRE in early 2024, now target Windows systems according to cybersecurity firm Nviso.

The hack was carried out by a Chinese group known as UNC5221. They exploited two new vulnerabilities in an Ivanti Connect Secure VPN to infiltrate MITRE's systems, beginning on December 31, 2023. After scanning the systems on January 4, 2024, they proceeded with internal movement and malware installation over the following days.

The attackers utilized the Linux version of BrickStorm on VMware vCenter hosts and deployed BeeFlush and WireFire web shells. Two weeks later, they extracted data using the BushWalk web shell, with the intrusion finally detected in April 2024.

Nviso’s recent report reveals that UNC5221 has been using Windows versions of BrickStorm against European organizations since at least 2022.

This quiet-acting backdoor allows hackers to search through and manipulate files and folders, and create network connections while evading detection. It leverages DoH (DNS over HTTPS) to locate command-and-control (C&C) servers.

Nviso identified two samples of BrickStorm for Windows, which are written in Go. They use scheduled tasks to maintain operation, not directly executing commands, but employing network tunneling and stolen credentials to exploit Remote Desktop Protocol (RDP) and Server Message Block (SMB).

For file manipulation, the backdoor has an HTTP API for downloading, uploading, renaming, and deleting files. It also enables hackers to create, delete, and view folders and their contents.

The Windows versions support network tunneling with TCP, UDP, and ICMP. They have been placed on network-connected devices via stolen credentials.

The backdoor communicates with its C&C through a single connection that supports multiple tasks simultaneously, using HashiCorp’s Yamux library for encrypted connections.

It uses public cloud services like Cloudflare Workers and Heroku applications to disguise its infrastructure. By utilizing services like Cloudflare, Google, NextDNS, and Quad9 for domain name resolution, it bypasses standard DNS monitoring.

Nviso highlights that although BrickStorm's file management and network tunneling appear basic, they are very effective. These findings of long-used hacking techniques and ongoing infrastructure updates stress the importance for vulnerable industries to strengthen security measures and continuously check their systems for unusual activity.