{ "id": "e35b0280-6950-4d3f-a917-46e09f6b7529", "created_at": "2026-04-06T00:16:11.616873Z", "updated_at": "2026-04-10T03:24:34.027676Z", "deleted_at": null, "sha1_hash": "87960492f9cdf510cbb18cfe0b512f3a4ef6d4f6", "title": "Technical Deep Dive: Understanding the Anatomy of a Cyber Intrusion", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3121852, "plain_text": "Technical Deep Dive: Understanding the Anatomy of a Cyber\r\nIntrusion\r\nBy Lex Crumpton\r\nPublished: 2024-05-09 · Archived: 2026-04-05 22:23:08 UTC\r\n9 min read\r\nMay 3, 2024\r\nWritten by\r\nand Charles Clancy.\r\nhttps://medium.com/mitre-engenuity/technical-deep-dive-understanding-the-anatomy-of-a-cyber-intrusion-080bddc679f3\r\nPage 1 of 14\n\nImage Credit: GPT4 / Dall-E 3\r\nThis is the second blog post in a series, sharing MITRE’s experiences detecting and responding to a nation-state\r\ncyber threat actor incident in our research and experimentation network, NERVE. It follows our April 19, 2024\r\nposting, “Advanced Cyber Threats Impact Even the Most Prepared”.\r\nIn this post, we take a deep dive into the technical details of the intrusion, including timeline and how to\r\npotentially detect this type of activity in your own environment. This blog focuses on a thorough accounting of the\r\nthreat actor’s tactics, techniques, and procedures.\r\nIn the ever-evolving landscape of cybersecurity, understanding the intricacies of a cyber intrusion is paramount for\r\norganizations seeking to fortify their defenses. This knowledge is the foundation of a threat-informed defense.\r\nThe indicators observed during the incident overlap with those described in the Mandiant threat intelligence report\r\non UNC5221, a “China-nexus espionage threat actor”. In this blog post, we have provided the associated\r\nIndicators of Compromise in Appendix 1 and a short blurb on the Malware Analysis.\r\nAdditionally, our blog post includes novel aspects not previously reported in Mandiant or other threat intelligence,\r\nincluding:\r\nhttps://medium.com/mitre-engenuity/technical-deep-dive-understanding-the-anatomy-of-a-cyber-intrusion-080bddc679f3\r\nPage 2 of 14\n\nDetails on the BEEFLUSH web shell, which was not identified in prior reporting; and\r\nUnique components of the BUSHWALK web shell seen in our incident.\r\nOur next blog post is targeted for the week of May 12, 2024, and will include additional details on the adversary’s\r\nnovel persistence techniques within our VMware infrastructure and provide tools for detection.\r\n1 Recap from Part One\r\nIn our previous blog post, we shared the experience of facing a sophisticated cyber intrusion that targeted\r\nMITRE’s Networked Experimentation, Research, and Virtualization Environment (NERVE) through two Ivanti\r\nConnect Secure zero-day vulnerabilities that bypassed our multi-factor authentication. The adversary maneuvered\r\nwithin the research network via VMware infrastructure using a compromised administrator account, then\r\nemployed a combination of backdoors and web shells to maintain persistence and harvest credentials.\r\nTable 1. Observed MITRE ATT\u0026CK® techniques shared in our initial blog\r\n2 Attack Scenario\r\nThe information described in this section represents adversary activities around which we have high confidence\r\nthrough our ongoing forensic investigation. As that investigation continues, we expect subsequent blog posts will\r\nshare further detail.\r\nUPDATE: In addition description below, we have also included an Attack Flow for a visual representation of the\r\nattack scenario.\r\n2.1 December 31, 2023: First Evidence of Intrusion\r\nThe adversary deployed the ROOTROT web shell (as described by Mandiant) on an external-facing Ivanti\r\nappliance, gaining initial access to NERVE, a MITRE prototyping network. This early intrusion leveraged\r\nmultiple Ivanti Connect Secure zero-day vulnerabilities (CVE-2023–46805 and CVE-2024–21887) for\r\nunauthorized access before the initial disclosure of vulnerabilities on January 10th and before patches were\r\navailable. By leveraging this access point, the adversary infiltrated the NERVE network, circumventing multi-factor authentication, and established a foothold for subsequent activities. The subsequent hijacking of sessions\r\nand utilization of RDP over HTML5 capabilities allowed the adversary to establish connections to systems within\r\nthe NERVE.\r\nInitial access is a crucial step in the cyber kill chain, allowing adversaries to infiltrate target networks.\r\nBy exploiting zero-day vulnerabilities, adversaries can bypass security measures and gain early access,\r\nproviding them with the opportunity to conduct discovery and lay the groundwork for further\r\nexploitation.\r\nTable 2. Notable MITRE ATT\u0026CK techniques\r\n2.2 January 4, 2024: Adversary profiles environment\r\nhttps://medium.com/mitre-engenuity/technical-deep-dive-understanding-the-anatomy-of-a-cyber-intrusion-080bddc679f3\r\nPage 3 of 14\n\nThe adversary profiled MITRE’s NERVE environment, interacting with vCenter from the compromised Ivanti\r\nappliance, establishing communication with multiple ESXi hosts. Subsequently, they successfully logged into\r\nseveral accounts within the NERVE via RDP, leveraging hijacked credentials to access user bookmarks and file\r\nshares to gain insights into the network architecture.\r\nPost-exploitation discovery is essential for adversaries to gather knowledge about the system, identify\r\nvulnerabilities, and plan subsequent actions. By profiling the environment and harvesting credentials,\r\nadversaries can understand the network’s layout and potential security weaknesses, enabling them to\r\nmaximize the effectiveness of their attacks. This discovery activity, culminating in document\r\nexfiltration, aimed to map the network topology and identify high-value targets for future exploitation.\r\nTable 3. Notable MITRE ATT\u0026CK techniques\r\n2.3 January 5, 2024: VM Manipulation and Infrastructure Control\r\nThe adversary manipulated VMs and established control over the infrastructure. The adversary used compromised\r\nadministrative credentials, authenticated from an internal NERVE IP address, indicating lateral movement within\r\nthe NERVE. They attempted to enable SSH and attempted to destroy one of their own VMs as well as POSTed to\r\n/ui/list/export and downloaded a file demonstrating a sophisticated attempt to conceal their presence and maintain\r\npersistence within the network.\r\nManipulating VMs and infrastructure allows adversaries to create backdoors, conceal their activities,\r\nand establish redundant communication channels. By cloning and destroying VMs, adversaries can\r\nevade detection and maintain access to critical systems.\r\nTable 4. Notable MITRE ATT\u0026CK techniques\r\n2.4 January 7, 2024: Exploitation and Payload Deployment\r\nThe adversary accessed VMs and deployed malicious payloads, including the BRICKSTORM backdoor and a\r\nweb shell MITRE called BEEFLUSH. These actions established persistent access and allowed the adversary to\r\nexecute arbitrary commands and communicate with command-and-control servers. The adversary utilized\r\ntechniques such as SSH manipulation and execution of suspicious scripts to maintain control over the\r\ncompromised systems.\r\nA VMware default account vpxuser, used VMware vSphere Management API pyvmomi, made seven API calls that\r\nenumerated a list of mounted and unmounted drives. The adversary pivoted back to the admin account and created\r\nthree new VMs, all conforming to the local naming convention, and successfully logged into them from an\r\ninternal IP address. One of these VMs was deleted on the same day.\r\nBRICKSTORM was found in VMs in the /mnt/cpt directory named tmpd and in the /bin directory named httpd\r\n(/mnt/cpt/tmpd and /bin/httpd). Both versions were given local persistence mechanisms. /mnt/cpt/tmpd was given\r\nboth /etc/rc.local and /etc/init.d/urandom_seed while /bin/httpd was given /etc/init.d/urandom_seed persistence\r\nmethod. BRICKSTORM communicated with the C2 domains seen in Appendix 1.\r\nhttps://medium.com/mitre-engenuity/technical-deep-dive-understanding-the-anatomy-of-a-cyber-intrusion-080bddc679f3\r\nPage 4 of 14\n\nBEEFLUSH, /idm/..;/resources/css/defaultb.jsp, communicated with several internal IP addresses making POST\r\nrequests. While in the vCenter server, the adversary executed suspicious Python scripts and /bin/sh commands\r\nfrom the /tmp directory.\r\nExploiting VMs and deploying payloads allows adversaries to maintain persistent access, exfiltrate\r\ndata, and execute commands remotely. By uploading backdoors and web shells, adversaries can\r\nestablish covert communication channels and evade detection by blending in with legitimate network\r\ntraffic.\r\nTable 5. Notable MITRE ATT\u0026CK techniques\r\n2.5 January 10, 2024: Vulnerability Disclosure and Response\r\nThe zero-day vulnerabilities were publicly disclosed via Ivanti Advisory.\r\nAs with many such public disclosures, this advisory prompted organizations to respond and patch\r\naffected systems. This event underscores the importance of timely vulnerability management and\r\nproactive security measures to mitigate the risk of exploitation by adversaries.\r\n2.6 January 11, 2024: Exfiltration Preparation and Web shell Deployment\r\nAccording to an analysis of system memory the adversary used the Ivanti help website as a staging area for data\r\nexfiltration. They made requests to /dana-na/help/ on the Ivanti appliance, where a base64 encoded logo.gif file\r\nwas an exact copy of a log file on the system which the adversary exfiltrated.\r\nGet Lex Crumpton’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nThe adversary uploaded a Python script, visits.py, that contained the WIREFIRE (aka GIFTEDVISITOR) web\r\nshell on the Ivanti appliance within the /home/venv3/lib/Python3.6/site-packages/cav-0.1-py3.6.egg archive file.\r\nThe deployment of web shells facilitates covert communication and data exfiltration, enabling the\r\nadversary to steal valuable information.\r\nTable 6. Notable MITRE ATT\u0026CK techniques\r\n2.7 January 12, 2024: New Published Advisories\r\nNew advisories were published by CISA and Mandiant.\r\n2.8 January 19, 2024: Exfiltration of Compromised Data\r\nThe adversary exfiltrated data from the NERVE using command-and-control infrastructure. An external IP\r\naddress, 172.75.64[.]253, made network traffic requests to the BUSHWALK web shell, /dana-https://medium.com/mitre-engenuity/technical-deep-dive-understanding-the-anatomy-of-a-cyber-intrusion-080bddc679f3\r\nPage 5 of 14\n\nna/jam/querymanifest.cgi.\r\nTable 7. Notable MITRE ATT\u0026CK techniques\r\n2.9 Mid-February through mid-March — Lateral Movement \u0026 File Access\r\nFrom February to mid-March, the adversary attempted lateral movement and maintained persistence within the\r\nNERVE. Despite unsuccessful attempts to pivot to other resources, the adversary persisted in accessing other\r\nvirtual environments within vCenter.\r\nThe adversary executed a ping command for one of MITRE’s corporate domain controllers and attempted to move\r\nlaterally into MITRE systems but was unsuccessful.\r\nLateral movement and persistence enable adversaries to expand their foothold within target networks\r\nand escalate privileges to access critical resources. By persisting in their activities despite initial\r\nsetbacks, adversaries can increase the likelihood of achieving their objectives over time.\r\n3 Malware Analysis\r\nFor the previously mentioned web shells, the MD5, SHA1, and SHA256 hashes, and file sizes are provided below.\r\n3.1 ROOTROT Web shell\r\nGoogle-owned Mandiant stated, “ROOTROT Web shell is written in Perl and is embedded into a legitimate\r\nConnect Secure .ttc file.” It allowed the adversary to pass Base64-encoded commands via the web interface, and\r\nhave them parsed, and executed with eval. This web shell on the Connect Secure appliance provided the\r\nreconnaissance and lateral movement components.\r\nTable 8. ROOTROT metadata\r\n3.2 WIREFIRE aka GIFTEDVISITOR\r\nWIREFIRE is a web shell written in Python that supports uploading files to the compromised device and\r\nexecuting arbitrary commands. During the intrusion, the adversary used WIREFIRE to look at the body of an\r\nHTTP Request for the “GIF” delimiter, open the body request, execute the command, and write it to a pipe for\r\nbase64 encoding, AES encryption, and zlib compression with math magic and null padding.\r\nTable 9. WIREFIRE metadata\r\nPress enter or click to view image in full size\r\nhttps://medium.com/mitre-engenuity/technical-deep-dive-understanding-the-anatomy-of-a-cyber-intrusion-080bddc679f3\r\nPage 6 of 14\n\nFigure 1. WIREFIRE POST method\r\n3.3 BUSHWALK Web Shell\r\nBUSHWALK, also tied to UNC5221 according to Google-owned Mandiant, is written in Perl. This file offered the\r\nability to read and write files to a server. Something to note, the version observed in MITRE’s intrusion differs\r\nfrom the Mandiant report, with a different ValidateVersion subroutine and a new exportData subroutine.\r\nTable 10. BUSHWALK metadata\r\nPress enter or click to view image in full size\r\nhttps://medium.com/mitre-engenuity/technical-deep-dive-understanding-the-anatomy-of-a-cyber-intrusion-080bddc679f3\r\nPage 7 of 14\n\nFigure 2. BUSHWALK headers and getPlatform\r\nPress enter or click to view image in full size\r\nhttps://medium.com/mitre-engenuity/technical-deep-dive-understanding-the-anatomy-of-a-cyber-intrusion-080bddc679f3\r\nPage 8 of 14\n\nFigure 3. BUSHWALK main method of the web shell\r\nPress enter or click to view image in full size\r\nhttps://medium.com/mitre-engenuity/technical-deep-dive-understanding-the-anatomy-of-a-cyber-intrusion-080bddc679f3\r\nPage 9 of 14\n\nFigure 4. BUSHWALK reads files\r\nPress enter or click to view image in full size\r\nhttps://medium.com/mitre-engenuity/technical-deep-dive-understanding-the-anatomy-of-a-cyber-intrusion-080bddc679f3\r\nPage 10 of 14\n\nFigure 5. BUSHWALK HTTP Request, Staging\r\nPress enter or click to view image in full size\r\nhttps://medium.com/mitre-engenuity/technical-deep-dive-understanding-the-anatomy-of-a-cyber-intrusion-080bddc679f3\r\nPage 11 of 14\n\nFigure 6. BUSHWALK Version Validation\r\n3.4 BEEFLUSH Web shell\r\nBEEFLUSH is a web shell that reads in data from web traffic, specifically the Fushd parameter using Java. It will\r\ndecode the data and concatenate it with a standard output stream redirector for /bin/sh. Once the c2 command is\r\nexecuted, BEEFLUSH reads the input stream and base64 encodes the message before writing it back out again.\r\nTable 11. BEEFLUSH metadata\r\nPress enter or click to view image in full size\r\nhttps://medium.com/mitre-engenuity/technical-deep-dive-understanding-the-anatomy-of-a-cyber-intrusion-080bddc679f3\r\nPage 12 of 14\n\nFigure 9. BEEFLUSH JSP file\r\n3.5 BRICKSTORM Backdoor\r\nBRICKSTORM is a Golang backdoor targeting VMware vCenter servers. It supports the ability to set itself up as\r\na web server, perform file system and directory manipulation, perform file operations such as upload/download,\r\nrun shell commands, and perform SOCKS relaying. This backdoor communicates over WebSockets to a hard-coded C2. MITRE found two versions on our compromised network.\r\nTable 13. BRICKSTORM metadata 1\r\nTable 14. BRICKSTORM metadata 2\r\n4 Call to Action\r\nIn our first blog post, we listed a number of specific areas where we need to collectively make progress in order to\r\ndefend and deter determined nation-state threat actors:\r\nAdvance the National Cybersecurity Strategy and CISA’s Secure by Design philosophy to make software\r\nand hardware products more secure out of the box.\r\nOperationalize Software Bill of Materials to improve software supply chain integrity and the speed with\r\nwhich we can respond to upstream software vulnerabilities in products.\r\nBroadly deploy zero trust architectures with robust multi-factor authentication and micro-segmentation.\r\nExpand multi-factor authentication beyond simply two-factor systems to include continuous authentication\r\nand remote attestation of endpoints.\r\nBroaden industry adoption of adversary engagement as a routine tool for not only detecting compromise\r\nbut also deterring them.\r\nTo make progress on these activities, MITRE Engenuity’s Center for Threat-Informed Defense will convene a\r\nsummer series of research roundtables with its members to discuss these topics, and identify collaborative paths\r\nforward toward implementation and execution.\r\nhttps://medium.com/mitre-engenuity/technical-deep-dive-understanding-the-anatomy-of-a-cyber-intrusion-080bddc679f3\r\nPage 13 of 14\n\n5 About the Center for Threat-Informed Defense\r\nThe Center for Threat-Informed Defense is a non-profit, privately funded research and development organization\r\noperated by MITRE Engenuity. The Center’s mission is to advance the state of the art and the state of the practice\r\nin threat-informed defense globally. Comprised of participant organizations from around the globe with highly\r\nsophisticated security teams, the Center builds on MITRE ATT\u0026CK, an important foundation for threat-informed\r\ndefense used by security teams and vendors in their enterprise security operations. Because the Center operates\r\nfor the public good, outputs of its research and development are available publicly and for the benefit of all.\r\n© 2024 MITRE Engenuity, LLC. Approved for Public Release. Document number CT0114.\r\nAppendix 1 — Indicators of Compromise\r\nTable 15. Indicators of Compromise\r\nSource: https://medium.com/mitre-engenuity/technical-deep-dive-understanding-the-anatomy-of-a-cyber-intrusion-080bddc679f3\r\nhttps://medium.com/mitre-engenuity/technical-deep-dive-understanding-the-anatomy-of-a-cyber-intrusion-080bddc679f3\r\nPage 14 of 14\n\nhttps://medium.com/mitre-engenuity/technical-deep-dive-understanding-the-anatomy-of-a-cyber-intrusion-080bddc679f3 \nFigure 3. BUSHWALK main method of the web shell\nPress enter or click to view image in full size \n Page 9 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://medium.com/mitre-engenuity/technical-deep-dive-understanding-the-anatomy-of-a-cyber-intrusion-080bddc679f3" ], "report_names": [ "technical-deep-dive-understanding-the-anatomy-of-a-cyber-intrusion-080bddc679f3" ], "threat_actors": [ { "id": "b2e48aa5-0dea-4145-a7e5-9a0f39d786d8", "created_at": "2024-01-18T02:02:34.643994Z", "updated_at": "2026-04-10T02:00:04.959645Z", "deleted_at": null, "main_name": "UNC5221", "aliases": [ "UNC5221", "UTA0178" ], "source_name": "ETDA:UNC5221", "tools": [ "BRICKSTORM", "GIFTEDVISITOR", "GLASSTOKEN", "LIGHTWIRE", "PySoxy", "THINSPOOL", "WARPWIRE", "WIREFIRE", "ZIPLINE" ], "source_id": "ETDA", "reports": null }, { "id": "6ce34ba9-7321-4caa-87be-36fa99dfe9c9", "created_at": "2024-01-12T02:00:04.33082Z", "updated_at": "2026-04-10T02:00:03.517264Z", "deleted_at": null, "main_name": "UTA0178", "aliases": [ "UNC5221", "Red Dev 61" ], "source_name": "MISPGALAXY:UTA0178", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434571, "ts_updated_at": 1775791474, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/87960492f9cdf510cbb18cfe0b512f3a4ef6d4f6.pdf", "text": "https://archive.orkl.eu/87960492f9cdf510cbb18cfe0b512f3a4ef6d4f6.txt", "img": "https://archive.orkl.eu/87960492f9cdf510cbb18cfe0b512f3a4ef6d4f6.jpg" } }