MITRE Exposes Chinese Hackers’ Employment of ROOTROT Webshell in Network Breach

Home/BOTNET, Compromised, malicious cyber actors, Tips, vulnerability/MITRE Exposes Chinese Hackers’ Employment of ROOTROT Webshell in Network Breach

MITRE Exposes Chinese Hackers’ Employment of ROOTROT Webshell in Network Breach

The MITRE Corporation, a non-profit organization managing research and development centers for the U.S. government, has revealed a recent infiltration by sophisticated nation-state hackers into one of its internal research and development networks.

The breach, attributed to a Chinese threat actor group identified as UNC5221, leveraged two zero-day vulnerabilities within Ivanti Connect Secure VPN appliances for initial access. As outlined in MITRE’s technical analysis of the incident, the attackers initiated their assault by conducting reconnaissance to pinpoint the susceptible Ivanti appliances.

They proceeded to exploit CVE-2023-46805 and CVE-2024-21887, two severe vulnerabilities enabling authentication bypass and arbitrary command execution, thus infiltrating MITRE’s Networked Experimentation, Research, and Virtualization Environment (NERVE) network.

Following their initial access, the hackers progressed laterally within the VMware environment, seizing at least one administrator account. Subsequently, they deployed webshells and backdoors to sustain continuous access and proceeded to extract an undisclosed volume of data from the network.

Upon detection of the breach, MITRE’s cybersecurity team swiftly enacted incident response procedures to mitigate the attack.

MITRE verified that the compromised NERVE network, designated for unclassified research and prototyping, is segregated from its business and public-facing networks, both of which remain intact and operational.


MITRE refrained from explicitly naming the suspected Chinese hackers, but security firms like Mandiant have observed UNC5221 and other Chinese threat actors exploiting the same Ivanti zero-days in recent months, often utilizing similar post-compromise tactics for lateral movement and data theft.

Experts warn that despite its limited scope, the breach underscores ongoing risks for organizations involved in national security and advanced technology research.

“No organization, no matter how dedicated to top-tier cybersecurity, is impervious to such cyber assaults,” emphasized Jason Providakes, president and CEO of MITRE.

The occurrence stands as a clear reminder of the constant danger posed by nation-state hackers and the crucial significance of robust cybersecurity measures, even for the most security-focused organizations.

‍Follow Us on: Twitter, InstagramFacebook to get the latest security news!

By | 2024-05-08T09:05:40+05:30 May 7th, 2024|BOTNET, Compromised, malicious cyber actors, Tips, vulnerability|

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!