Newly identified versions of the BrickStorm backdoor used in the MITRE hack in early 2024 are targeting Windows environments, cybersecurity firm Nviso warns.
To hack MITRE, a Chinese APT tracked as UNC5221 exploited two zero-day vulnerabilities in an Ivanti Connect Secure VPN as early as December 31, 2023, following up with fingerprinting in January 4, 2024, and lateral movement and malware deployment in the next few days.
The hackers deployed the Linux version of the BrickStorm backdoor on VMware vCenter hosts, along with the BeeFlush and WireFire web shells, and exfiltrated data two weeks later, using the BushWalk web shell. The intrusion was discovered in April 2024.
