MITRE hacked through Ivanti zero-days

April 21, 2024
1 min read

TLDR:

State hackers breached MITRE’s network by exploiting Ivanti zero-days in January 2024. The incident compromised an unclassified network used for research but did not affect the core enterprise network. Threat actors used sophisticated techniques to bypass multi-factor authentication and maintain access to systems. Mandiant linked the attacks to an APT group, while Volexity reported Chinese state-sponsored hackers were involved.

Full Article:

The MITRE Corporation disclosed a state-backed hacking incident in January 2024 where threat actors breached their systems by exploiting two zero-day vulnerabilities in Ivanti VPN software. The attack targeted the Networked Experimentation, Research, and Virtualization Environment (NERVE), an unclassified collaborative network used for research and development purposes.

The cyber attack allowed hackers to compromise one of MITRE’s Virtual Private Networks (VPNs) by chaining two Ivanti Connect Secure zero-days, enabling them to bypass multi-factor authentication defenses. They used session hijacking to move laterally through the network’s VMware infrastructure with a hijacked administrator account.

The hackers deployed sophisticated webshells and backdoors to maintain access to hacked systems and harvest credentials for espionage purposes. The incident involved two exploited vulnerabilities, an authentication bypass (CVE-2023-46805) and a command injection (CVE-2024-21887), leading to the deployment of multiple malware families.

Mandiant identified the attacks as part of an advanced persistent threat (APT) tracked as UNC5221, while Volexity reported evidence of Chinese state-sponsored threat actors exploiting the same zero-days. The Chinese hackers backdoored over 2,100 Ivanti appliances, targeting victims ranging from small businesses to Fortune 500 companies across various industries.

Due to the widespread exploitation of the Ivanti zero-days, the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive instructing federal agencies to mitigate the vulnerabilities immediately. MITRE has since notified affected parties, contacted relevant authorities, and is working on restoring operational alternatives.

Latest from Blog

EU push for unified incident report rules

TLDR: The Federation of European Risk Management Associations (FERMA) is urging the EU to harmonize cyber incident reporting requirements ahead of new legislation. Upcoming legislation such as the NIS2 Directive, DORA, and